AT&T Leak Exposes 114,000 iPad Customer E-mails
The hacker group, known as Goatse Security, obtained the e-mail addresses of numerous high profile iPad customers, including CEOs, military officials and top politicians, by launching automated script attacks on AT&T's Web-based server based on their iPad 3G SIM cards, according to a report in Gawker.
Altogether, the hackers leaked the e-mail addresses of at least 114,000 iPad users from an exclusive Apple list that included New York Times Co. CEO Janet Robinson, Diane Sawyer, Harvey Weinstein, Mayor Michael Bloomberg and William Eldredge, among others. Other affected people included top executives at Dow Jones, Conde Nast, Viacom, Time Warner, News Corporation, HBO and Hearst.
The iPad customer information included e-mail addresses, along with an associated ID used to verify the identity the user on AT&T's network, known as the integrated circuit card identifier identification, or ICC-ID number.
The ICC-ID is used to identify the SIM cards that connect a mobile device with a specific user. Subsequently, "it's possible that confidential information about every iPad 3G owner in the U.S. has been exposed," Gawker said, indicating that they could be "vulnerable to spam marketing and malicious hacking."
The hacker group was able to obtain numerous ICC-ID numbers after it launched automated requests in a malware attack, which were then linked to individual customers. Goatse Security initially obtained data on AT&Ts Website, which was publicly available to anyone. Hackers had only to enter the ICC-IDs, and the script would return the corresponding e-mail addresses, in an AJAX-style response within the Web application.
To make AT&T's Web servers respond, the hackers had only to put an iPad style "user-agent" header in their Web request, which were then automated with a script. The Goatse hackers were then able to guess a significant portion of the individuals' identities based on the known iPad 3G ICC-IDs.
AT&T said in a statement that it patched the security leak Tuesday, although iPad customers didn't find out about the breach until Wednesday.
"AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device. This issue was escalated to the highest level so the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the email addresses," AT&T said in a statement. "We are continuing to investigate and will inform all customers whose email addresses and ICC IDS may have been obtained."
AT&T's bungled data policies and its delinquency in reporting the breach likely didn't do much to strengthen an already tenuous relationship with Apple.
Although AT&T appears to be culpable for the breach, Apple is still responsible for the privacy of its customers' e-mail addresses, which are submitted in order to activate their iPads -- especially in light of the fact that its customers don't have a choice regarding the device's mobile carrier.
To make matters worse, AT&T balked at telling its customers, and likely Apple for that matter.
"At the very least, AT&T exposed a very large and valuable cache of email addresses, VIP and otherwise, This is going to hurt the telecommunications company's already poor image with iPhone and iPad customers, and complicate its very profitable relationship with Apple," the Gawker report said.