Oops. AT&T has egg on its face after leaving sensitive information on 114,000 owners of the iPad 3G exposed on the Web. A group known as Goatse Security has published the personal e-mail addresses of the victims--many of whom are popular celebrities, prominent executives and high-ranking dignitaries--that it obtained by exploiting an automated script on an AT&T server.
The true motive behind Goatse Security exposing this information is unknown. Had the group followed generally accepted vulnerability disclosure ethics, it would have contacted AT&T directly to notify them of the flaw, and allowed AT&T a reasonable amount of time to respond to the issue before announcing the discovery. And, of course, an ethical disclosure would not include exposing the compromised data. Perhaps Goatse Security simply wanted to embarrass AT&T or Apple.
The official statement I received from an AT&T spokesperson reads:
"AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device. This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses. The person or group who discovered this gap did not contact AT&T. We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained. We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted."
Thankfully, the data leak did not include more sensitive data such as credit card number or home address. While the individuals involved in the data compromise might need a stronger spam filter--or simply new e-mail addresses--there isn't any real security concern resulting from the breach. White House Chief of Staff Rahm Emanuel, and Diane Sawyer of ABC News may be inundated with unwanted e-mail of all sorts, but most spam today is simply mass distributed to all possible combinations at a given domain. It's more likely that famous personalities might see an influx of unwanted messages from average citizens.
What was included aside from the e-mail address is the ICC-ID of each individual's iPad 3G. The ICC-ID, or integrated circuit card identifier, is a unique code assigned to the SIM chip in the iPad which allows it to connect with AT&T's 3G network.
There have been some concerns expressed over whether exposing the ICC-ID opens up any additional security repercussions. But, a Gawker report on the incident quotes Emmanuel Gadaix, a Nokia veteran, explaining that while there have been "vulnerabilities in GSM crypto discovered over the years, none of them involve the ICC ID... as far as I know, there are no vulnerability or exploit methods involving the ICC ID."
The fact that there is little to no security concern resulting from the data breach offers some consolation to the 114,000 affected iPad 3G owners. However, it doesn't do much for AT&T's reputation with customers or its credibility with Apple.