AT&T breach compromises 114,000 iPad 3G users (Updated with AT&T confirmation)

Posted on June 9, 2010

An investigation today has found that a weakness in AT&T’s security has exposed the identities of over 114,000 iPad 3G owners in the past few weeks. Hacker group Goatse Security claimed to Gawker to have manipulated an AT&T website-side script that would return the e-mail addresses associated with the ICC-IDs of the SIM cards in Apple’s tablets. By using and guessing iPad ICC-IDs through a PHP script, as well as spoofing an iPad-like user agent, the group collected a large amount of personal information that included some well-known figures.Among those compromised were top political officials such as House Chief of Staff Rahm Emmanuel and New York City Mayor Michael Bloomberg. Some in publishing, media networks and the US military will also have been exposed.

The hole is believed to have been closed a few days ago and wouldn’t lead to security exploits on the iPads themselves. However, the plug arrived only after the hackers shared the script with other groups, some of whom may have used it to scrape e-mail addresses for any other 3G-capable iPad owner on AT&T. The carrier also hasn’t notified customers of the escaped data.

AT&T has been contacted by Electronista, but a spokesman said the network didn’t yet have an official response.

The unintentional leak has already been treated as a symbolic loss for AT&T. With iPhone customers in key cities like San Francisco still affected by heavy 3G data congestion and many others critical of its decision to end unlimited data plans, the carrier has been under heat to mend its reputation. AT&T’s very broad upgrade eligibility for the iPhone 4 has been interpreted by some as a sign that it has been anticipating an end to its iPhone exclusivity; the iPad breach risks thwarting some of its goodwill efforts.

Update: AT&T has provided a statement confirming the security breach.

AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.

This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.

The person or group who discovered this gap did not contact AT&T.

We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained. At this point, there is no evidence that any other customer information was shared.

We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.

By Electronista Staff

Posted in: GETGIT