I find this a bit concerning not because Apple was hit, but because getting hit by some Java-malware necessitates a public statement. Anyone here in an organization of more than about 10 users likely has one or more of them with malware of some sort on their device right now, and it is treated as just the cost of the platform. In my organization I'm sort of the paranoid in that I treat every exposure as a serious event, but I am very much alone on that.
Unless they can prove (to themselves) that no customer data could have been obtained, they have to disclose this due to laws in several states, including California.
Aside from that, I believe it is ambiguous as to whether or not publicly traded companies have to disclose incidents that may have adverse effects for investors. In some cases, ambiguous errs on the side of not getting sued or sanctioned.
It's good that companies are coming out. I work in infosec, and it's constantly a battle with clients who take a "it can't happen to a big company like us, we have a professional IT department" mindset. It is happening, constantly, and things only improve when there is awareness.
I also like the forced disclosure to deal with the "they probably won't hack us, and if they do, we will just fix it later and quietly cover it up" companies. There are a fair number of those as well. Doing things right costs money that they think they can get away with not spending. Usually, that translates to externalizing the cost to the customers who get hacked for using their products, or get their data raided.
Every large ( >1000 employees ) organization has DAILY infections on employee computers. That is the reason for IT departments. If any big corp did a press release every time they found malware on a computer, it would just be a never ending stream.
Not everyone who works for apple is a programmer. There are janitors, cooks, secretary's, etc.. Those people use IE and click links in emails.
I cant say as to why apple chose to release this statement. I can just say I am fairly confident they did not have to.
Almost certainly: I'd be shocked if they didn't have HR or accounting people dealing with incredibly hairy enterprise accounting, payroll, purchasing, etc. apps. If they're lucky, they support IE > 6.
At a previous job, I called Oracle support for one of their enterprise apps (we paid at least 6 figures a year for “support”) asking about IE8 compatibility and was eventually told that they don't test Microsoft's software for them and would wait until it was released to start. This was after IE8 was released and our users had already discovered that Oracle's thicket of JavaScript had an ancient bindows.net library which relied on IE not throwing an exception for a completely erroneous misuse of elem.style; a week or so later, a support manager called me to ask for a copy of the monkey-patch I'd mentioned so they could distribute it to other customers.
It doesn't sound like the law is quite that strict:
"California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. "
Right, it depends who was compromised. My statement accounted for the fact that Apple has access to so much personal information (icloud, siri, app store, all customer service functions, applecare, etc). But it's true that they have many employees who have no such access and would not trigger the California law.
Generally the attacks are fuzzy. The attackers are quick to pivot off of the first infected system, because defenses tend to be extremely weak inside the firewall. They look for test systems, code repos, privileged interfaces, etc. For this reason, if they can't reasonably say that the compromise didn't lead anywhere else, they could get in a lot of trouble for failing to disclose.
Remember Sony? They kept quiet and attributed billions in losses to that incident, and had regulators down their backs. Nobody wants to deal with that. If the details of the compromise are not thoroughly understood internally, it could be better to say what happened and note that you don't believe user data was compromised.
