AT&T is apologizing to over 100,000 Apple iPad 3G owners for what it says was a security breach by a hacker that gained access to e-mail addresses. The apology came on Sunday, six days after an AT&T says a hacker gained access to 114,000 AT&T iPad 3G customers‘ e-mail addresses, according Dorothy Attwood, senior vice president for public policy and chief privacy office.
AT&T says that it learned on June 7 that hackers had “maliciously exploited” a function in its system to obtain serial numbers of AT&T SIM cards for the iPad 3G (called ICC-IDs) and their corresponding email addresses (including some high ranking names from the Senate, Department of Justice, FCC, NASA, Google, Amazon, Microsoft and several big media companies).
In a public statement Attwood assured users no other information was exposed, and that the matter has been resolved. [Full text of the letter here]
The list of email addresses obtained through this exploit was then offered to the media, with Gawker being the first to pick up on the story on June 9. AT&T claims in the email that it has plugged the security whole which allowed this breach “within hours”, and says that email addresses and ICC-IDs were the only information available through the security hole.
The computer experts group that exposed the AT&T security hole, called Goatse Security, has taken offence to the wireless carrier calling them “hackers” and their activities “malicious” in the apology email to customers. The group wrote on its blog on Monday morning, saying AT&T “is being dishonest about the potential for harm” from the security hole it has exposed.
Goatse Security’s Escher Auernheimer claims “AT&T is trying to crucify us over this”, insisting “there was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist [at Gawker] and destroyed the data afterward.” Prior to the Gawker story, the group has reportedly emailed several other media companies, including Fox News and Reuters, to pitch their findings.
The Federal Bureau of Investigation opened last Thursday an investigation into the AT&T security breach. Gawker, who also published a picture of a stack of papers with the ICC-ID numbers and associated email addresses harvested by Goatse Security, has been contacted by the FBI.