On Sunday evening, AT&T sent an e-mail message to owners of the Apple 3G iPad notifying them of a security breach that was publicized early last week.
The message, sent by Dorothy Attwood, a senior vice president and chief privacy officer at AT&T, explained that a number of iPad 3G owners’ e-mail addresses, along with a private identification number known as an ICC-ID, were made public through a breach in AT&T’s Web site. The company also apologized for the security error.
AT&T laid blame on a security group that first discovered the weakness on the company’s Web site. Ms. Attwood wrote that “unauthorized computer ‘hackers’ maliciously exploited a function designed to make your iPad log-in process faster.”
Ms. Attwood refers to the group in the e-mail as “self-described hackers” and writes that the group “deliberately went to great efforts” to gain access to customers’ private information.
Ms. Attwood also accused the group of putting “together a list of these e-mails and distributed it for their own publicity.”
In a recent blog post on Goatse Security’s Web site, a member of the group defended its actions, stating that “all data was gathered from a public webserver with no password, accessible by anyone on the Internet.” The groups’ members also noted that their efforts were meant to protect the public and said the only person to receive the e-mail addresses and ICC-ID numbers was “Gawker journalist Ryan Tate who responsibly redacted” any visible personal information.
Members of the group used the UCC-ID that is on each iPad 3G and pinged the AT&T login page with it. That page returned an e-mail address associated with that iPad 3G. They then wrote a simple script to ping the page with a series of numbers repeatedly until they had 114,000 e-mail addresses.
The full e-mail from AT&T regarding the security breach is below:
June 13, 2010
Dear Valued AT&T Customer,
Recently there was an issue that affected some of our customers with AT&T 3G service for iPad resulting in the release of their customer e-mail addresses. I am writing to let you know that no other information was exposed and the matter has been resolved. We apologize for the incident and any inconvenience it may have caused. Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence.
Here’s some additional detail:
On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the e-mail address you used to register your iPad for 3G service. The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address. When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the e-mail address associated with the ICC-ID already populated on the log-in screen.
The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer e-mail addresses. They then put together a list of these e-mails and distributed it for their own publicity.
As soon as we became aware of this situation, we took swift action to prevent any further unauthorized exposure of customer email addresses. Within hours, AT&T disabled the mechanism that automatically populated the e-mail address. Now, the authentication page log-in screen requires the user to enter both their e-mail address and their password.
I want to assure you that the e-mail address and ICC-ID were the only information that was accessible. Your password, account information, the contents of your e-mail, and any other personal information were never at risk. The hackers never had access to AT&T communications or data networks, or your iPad. AT&T 3G service for other mobile devices was not affected.
While the attack was limited to e-mail address and ICC-ID data, we encourage you to be alert to scams that could attempt to use this information to obtain other data or send you unwanted email. You can learn more about phishing by visiting the AT&T website.
AT&T takes your privacy seriously and does not tolerate unauthorized access to its customers’ information or company websites. We will cooperate with law enforcement in any investigation of unauthorized system access and to prosecute violators to the fullest extent of the law.
AT&T acted quickly to protect your information – and we promise to keep working around the clock to keep your information safe. Thank you very much for your understanding, and for being an AT&T customer.
Senior Vice President, Public Policy and Chief Privacy Officer for AT&T