Basically, a group of hackers discovered a flaw on AT&T’s Web site, stole a ton of iPad owners’ identifying information, and gave the data to a popular blog. The security hole has since been plugged.
The hackers go by the name Goatse Security and have previously been responsible for unearthing vulnerabilities in Web browsers and in Amazon’s community ratings system, according to Valleywag.
Goatse found a buggy Web application on AT&T’s Web site that returned an iPad user’s e-mail address when it was sent specially written queries. These queries involved ICC-IDs (Integrated Circuit Card Identifiers) — unique numbers given to iPad owners that identify iPads connected to AT&T’s mobile network. Goatse then wrote an automated script that repeatedly sent thousands of random ICC-IDs, downloaded the e-mail addresses, and then gave them to the Gawker sister site Valleywag.
Celebrities such as Diane Sawyer also stomached the blow.
Valleywag points out that the e-mail list includes people privileged enough to receive an iPad prior to its wide release. This is not to say average iPad owners were not affected — that information cannot be confirmed.
Who’s to Blame?
First and foremost, it’s pretty clear that AT&T shoulders most of the responsibility for this incident, and the company admits as much. “We apologize that this happened. Nothing is more important to us. It’s the No. 1 priority, protecting customer privacy,” AT&T spokesperson Mark Siegel told CNET. Another AT&T spokesperson sponged blame from Apple’s corner by saying, “This is an AT&T issue … and people should feel comfortable using their iPads.”
Valleywag editorializes the Apple should share the blame. AT&T has an exclusive lock on the iPad’s 3G connectivity, and because of this, Valleywag believes that “Apple has a pronounced responsibility to patrol the network vendors it chooses to align and share customer data with.” That’s shaky ground to stand on since it’d be extremely taxing for a company as big as Apple to parse AT&T’s Web sites looking for security holes.
Aside from apologetic promises to inform customers who were impacted, AT&T hasn’t said much, and Apple hasn’t uttered a word to any news organization.
The FBI’s blurb was also succinct: “The FBI is aware of these possible computer intrusions and has opened an investigation,” FBI spokesperson Katherine Schweit told The Wall Street Journal. “It’s very early in the investigation,” Schweit adds.
Some may distrust and blame Goatse for its involvement, but in an interview with CNET, Escher Auernheimer, a key member of Goatse, defended the group’s participation, calling it an investigation in the public’s interest. “So I think it was necessary to inform the public in this particular manner. I know some people are criticizing us and calling it irresponsible, but we did our best effort to be good guys about it. We waited until the hole was patched. We didn’t disclose the data except to a reporter who agreed to censor the relevant bits. We felt it was in the public’s best interest,” Auernheimer said.
No matter how you spin it, the AT&T iPad data leak is a festering black eye for the mobile carrier and Apple may begin distancing itself to save its own reputation. Without Apple its exclusives, AT&T may have a tougher time weathering the storm.