Security Experts:

AT&T Exposes iPad Customer Data

AT&T acknowledged on Wednesday that a security hole in its Web site had exposed the email addresses of some iPad owners.

A group of computer experts that calls itself “Goatse Security” claimed to have exploited the AT&T Web site using part of an HTTP request, triggering a script which would return the associated email address using an AJAX-style response within the Web application.

It’s important to note that the breach won’t effect iPad owners who have not signed up for AT&T 3G wireless service for their iPads and that it does not appear that any financial or billing data was exposed.

Gawker Media first reported the breach Wednesday and AT&T sent a response to Gawker on the incident:

"AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.

This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.

The person or group who discovered this gap did not contact AT&T. We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.

We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted."

Through the breach, the Goastse group claimed to uncover over 114,000 email addresses of of iPad customers, including government officials, business executives, and the military, including William Eldredge, commander of a B-1 bomber group for the U.S. Air Force. Gawker reported that White House Chief of Staff Rahm Emanuel was on the list as well. 

Subscribe to the SecurityWeek Email Briefing
view counter