According to various news stories, a security hole in AT&T's website allowed a hacking group called Goatse Security to gain access to 114,000 email addresses of iPad customers. The original news story and updates can be found here on the Gawker.com website.
According to this story in ComputerWorld, the email addresses were downloaded after the group stumbled "... upon a program on AT&T's Web site that would send back the iPad user's e-mail address when given a unique SIM card identification number known as an ICC-ID (Integrated Circuit Card Identifier). By guessing ICC-ID numbers, the hackers were able to download 114,000 e-mail addresses..."
The Gawker story gives many more of the details for those interested.
AT&T acknowledged the security hole yesterday, after saying it had fixed in on Tuesday once the company learned of the problem on Monday. The ComputerWorld story quotes an AT&T spokesperson as saying the exploited feature as been turned off.
This story in the Wall Street Journal reports that, "Ed Amoroso, chief security officer at AT&T, said the hole grew out of an effort by the carrier to make it easier for customers to renew subscriptions."
AT&T (naturally) downplayed the damage done by the hackers, and security analysts seem divided over how material the breach was/is.
There is a story in the New York Times says that the mails addresses include "included military personnel, staff members in the Senate and the House, and people at the Justice Department, NASA and the Department of Homeland Security, said the group member. Private-sector addresses that were exposed include those of executives at The New York Times Company, Dow Jones, Condé Nast, Viacom, Time Warner, the News Corporation, and HBO."
Various reports say that those who had their email exposed included White House chief of staff Rahm Emanuel, New York Mayor Michael Bloomberg, ABC News anchor Diane Sawyer, film producer Harvey Weinstein, and Col. William Eldridge, commander of the largest operational B-1 strategic bomber group in the U.S. Air Force.
AT&T complained that, "The person or group who discovered this gap did not contact AT&T," implying that the group had some obligation to do so.
Did it?
The company also said that, "We take customer privacy very seriously... ."
I wonder if the 114,000 who have had their email exposed - especially those in the White House - or Apple - really believe that very much.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.
