AT&T operated the Web server with weak security controls, as Gawker first reported, that allowed security researchers and unknown others to download email addresses and "ICC" cellular IDs for tens of thousands of iPad 3G customers, including leaders in politics, the military, the media, and finance. The telecom company issued a statement apologizing for the breach, but trying to minimize the impact, emphasizing that only two pieces of data per customer were exposed:
"AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.
This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.
The person or group who discovered this gap did not contact AT&T.
We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.
We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted."
AT&T also tried to put the best face on its actions in an interview with our colleague Matt Buchanan at Gizmodo. In the interview, AT&T's chief security officer Ed Amoroso gave a fascinating explanation of how an AT&T sign-in app on the iPad led to the security breach—an explanation that, while admirably detailed, spun the story to emphasize AT&T's desire to make life easier for customers.
But customers aren't served by leaks of their private information, or by Amoroso pointing fingers at the group who flagged their vulnerability, Goatse Security, for not following a "responsible disclosure process." Whether that's the case or not—GoatSec said it notified AT&T, AT&T said it found out from a customer on Monday—AT&T should be handling customer data more carefully, and should have moved more quickly to warn its subscribers.
Experts said that ICC-ID numbers could, in the right hands, be used to get other information, like an iPad's location.
The breach "should be worrying people a lot," said Nick DePetrillo, an independent security consultant.
Michael Kleeman, a communications network expert at the University of California, San Diego, said... "you could in theory find out where the device is," Mr. Kleeman said. "But to do that, you would have to gain access to very secure databases that are not generally connected to the public Internet."
The Times spooked itself enough to send a memo to all newspaper staff, saying, according to the copies we obtained, "As our security team and network engineers investigate the full extent of the breach via Apple and AT&T, we suggest that you turn off your access to the 3G network on your iPad until further notice."
AT&T, meanwhile, is still "doing the forensics," Amoroso told Gizmodo. In other words, it doesn't yet know how many accounts have been impacted. Once it does, more damage control will no doubt be necessary.
[Photo, top: The list of 114,000 compromised accounts provided to Gawker was nearly 2,000 pages long.]