Until early June, AT&T had an online tool that helped iPad 3G owners sign up for its mobile Wi-Fi service: Users typed in the 19-digit serial number for their iPad's micro-SIM card, also known as the ICC-ID (integrated circuit card identifier), and the site returned the e-mail address that the owner had used to verify registration. AT&T used that e-mail address to populate a log-in field on the Web registration form.
A group of researchers called Goatse Security spotted a flaw in this tool, and created a script that randomly generated and submitted ICC-ID numbers to the site. They got back over 114,000 e-mail addresses, including those of White House Chief of Staff Rahm Emanuel, New York Mayor Michael Bloomberg, and other high-profile iPad owners. Goatse Security did not contact AT&T first, but they did wait until the company changed the site before providing the e-mail addresses and serial numbers to a Gawker.com editor, who then disclosed the flaw.
Should such seemingly trivial leaks be subject to current data-breach notification laws? And if they should, just how serious is the threat of identity theft when an attacker obtains an e-mail address and a serial number?
Breach? What Breach?
Under current law, AT&T did not have to disclose the exposure of the e-mail addresses or serial numbers. Dorothy Attwood, AT&T's chief privacy officer, claimed in an apology to iPad 3G customers that Goatse "deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer e-mail addresses." Attwood also stressed that the AT&T Website did not lead directly to financial or personal information.
While an exposed e-mail address might attract more spam, the ICC-ID by itself should be useless. However, speaking at SOURCE Boston in April, Nick DePetrillo and Don A. Bailey showed how ICC-IDs such as those employed by AT&T can be used to guess the more important IMSI (International Mobile Subscriber Identity) number for each account owner. Although it was specific to attacking the GSM mobile phone network, DePetrillo and Bailey's talk (see the PDF of their presentation) showed how IMSIs could help to reveal the identity of the account owner and other information.
As of April, 46 states and three U.S. territories have laws for notification of consumers whose information may have been compromised in data breaches, according to the National Conference of State Legislatures. (None specifically cover leaks of SIM card data.) Alabama, Kentucky, New Mexico, and South Dakota do not yet have such data-breach notification laws. No federal notification law exists, but one may be in the works. A federal law specific to health-care data breaches (see the PDF) became a reality as part of the American Recovery and Reinvestment Act of 2009.
Most state laws mirror California's 2003 law SB1386, in which "personal information" is defined as first and last names, plus any combination of a Social Security number, driver's license, account number, or credit or debit card number with a password or security code. Leaks of unencrypted personal data must be disclosed unless under law-enforcement investigation (in which case the disclosure can be delayed). Encrypted data is exempt.
A pending 2010 revision to the California law, SB1166, includes improvements that other states have made, such as a description of the data-breach event in the notification letter, a copy of which must go to the attorney general's office.
Though the law is currently playing catch-up, consumers can take action for themselves. The Federal Trade Commission has an informative site that tells how to guard against identity theft, as well as what steps to take if you become a victim.
Additionally, the Fair and Accurate Credit Transaction Act of 2003 allows consumers to obtain one free credit report from each of the three credit bureaus annually. Experts advise writing to a different credit bureau every four months so that over the course of the year you obtain all three reports. Sometimes the three reports have discrepancies; FACTA makes it easier for consumers to resolve errors.
FACTA introduced a number of consumer credit tools, too. One is a fraud alert that requires anyone making an inquiry or change to your credit report to contact you first. The request for the alert needs to be updated every 90 days; if you've been a victim of identity theft, you can file a police report and obtain an extended fraud alert that is good for seven years.
A credit freeze, a more drastic measure, prevents anyone from accessing your credit report without your unfreezing it. There is a fee to freeze and unfreeze your credit report; some states waive the cost of a freeze if you have been a victim of identity theft and can document the event. The FTC site has information on how to obtain alerts and freezes.
Neither tool prevents you from getting a free copy of your credit report. Mortgage companies and others that currently do business with you retain access to your credit history; only new inquiries are stopped cold. These measures will not halt ongoing identity theft, nor will they prevent new account creation, since some new accounts don't require a credit check.
Though these tools and laws were designed to address credit-related data breaches, personal data is now leaking out in new and different forms. If criminals can guess how mobile carriers are associating users' account information with serial numbers, then perhaps new and better definitions of what qualifies as a data breach are necessary. The lesson here is that no leak is too small to cause major headaches later.