AT&T Breach Exposes iPad Owners’ Email Addresses
Well, this doesn’t bode well for Apple-AT&T relations…
A security breach at AT&T has exposed the email address of thousands iPad owners–among them a who’s-who of the media and political elite.
Valleywag reports that by exploiting a vulnerability in the AT&T Web site, hacker group Goatse Security was able to collect email addresses associated with the SIM integrated circuit card identifiers, or ICC IDs, in the 3G version of Apple’s (AAPL) new slate device. And it collected some 114,000 of them–from New York Times Co. (NYT) CEO Janet Robinson to New York Mayor Michael Bloomberg and White House Chief of Staff Rahm Emanuel–before notifying AT&T (T) of the breach so the carrier could repair it.
Interestingly, AT&T claims it was a business customer who alerted it to vulnerability on Monday, and not Goatse or Valleywag. The carrier says that the only information compromised were ICC IDs and the email addresses attached to them. And contrary to some rumors making the rounds, AT&T says it is not advising iPad 3G owners to disable 3G.
Obviously, this is an ugly humiliation for AT&T. But as a security breach, it’s not devastating. The only data compromised were email addresses and ICC IDs. The former could be sold to spammers, and I’m not sure there’s much ill to be done with the latter. Which is not to downplay the severity of the incident. AT&T’s negligence here is deeply troubling–and worth remembering every time we entrust our personal data to someone else.
AT&T, which would not tell me exactly how many Apple iPad 3G users are affected, did release the following statement:
AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.
This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.
The person or group who discovered this gap did not contact AT&T.
We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained. At this point, there is no evidence that any other customer information was shared.
We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.
Apple did not respond to a request for comment.