AT&T's iPad E-Mail Breach

By  |  Thursday, June 10, 2010 at 9:22 am

The most fascinating thing about the case of a hacker group downloading 114,000 e-mail addresses of iPad 3G owners from AT&T’s servers–other than the confirmation that a lot of high-powered people bought iPads–is the fact that it’s a major security breach involving one of the most locked-down products on the planet. And there’s nothing iPad owners could have done to prevent it, since the data was swiped from AT&T, not individual iPads.


Read more: , , ,

6 Comments For This Post

  1. John Baxter Says:

    There are reasons why I create special email addresses for cloud stuff.

    I’m pretty safe on this one, as my iPad is, at most, stuff sitting in parts bins at several Foxconn subcontractors.

    (I will order now that the WWDC keynote has passed without giving me a reason not to.)

  2. kidTruant Says:

    As one of those 3G iPad owners who had his email address swiped (and supposedly just my email address), I find it really interesting that AT&T has not contacted me about the breach. Here is a major PII breach (personally identifiable information) and the company responsible for failing to secure that information has yet to reach out impacted customers.

    One more AT$T failure?

  3. Vulpine Says:

    Question for kidTruant: How do you know you were one of the victims? I certainly didn’t see “[email protected]” anywhere in the listing shown on any of the reporting sites.

    Or are you just being paranoid and making the assumption? Did somebody, anybody, contact you to say your name was on the list?

    Personally, based on what I’ve read from more recent reports, only email addresses where skimmed, and that was due to a brute-force script simply sending in CID numbers to an AT&T database until it started receiving email addys. In other words, the worst you could get from it is more spam mail–unless you happen to keep a very poor password on your email.

  4. kidTruant Says:

    @Vulpine… It’s a valid question, though you seem to miss the point of my comment. But to answer… A) I didn’t use my kidTruant address to create my account; B) there are no *published* lists of the email addresses stolen so I doubt you would have seen it; and C) I’m no CEO, Mayor or Presidential Aide, so I’m not important enough to pop-up on anyone’s list, I imagine. So no, no paranoia.

    The point of my comment is that is incumbent upon a company that experiences a data breach to contact the people who are impacted. This is SOP, unless the company manages to hide the hack from the media / customers. Obviously, not in this case. At the very least, an email apology from AT&T for leaving a door unlocked would be a good customer service start. Data loss prevention is paramount in the world of electronic storage, and using a poorly designed architecture that exposes the ICC-IDs so relatively easily is negligent, if not downright incompetent. It begins to beg the question… where else are there holes in their data security architecture? What if it was more than email addresses, but included home address, credit card information or allowed data in transit to be captured? Whether or not any of those are realistic, the architectural mistake AT&T made has now become a customer service and PR mistake. Apple should be pissed. Any AT&T customer should be pissed.

  5. Abigail Moore Says:

    iPad is way too cool to own, i wanna buy one next month..,~

  6. Lilly Bell Says:

    i gave my girlfriend an ipad and she was very very happy*`,