The breach, first reported by the website Gawker.com, occurred when a group calling itself “Goatse Security” hacked into AT&T website to get e-mail addresses of about 114,000 iPad users, and obtaining a list of email addresses that also included celebrities, chief executives and politicians. They — as well as any other buyers of the Apple’s tablet — could be vulnerable to spam marketing and malicious hacking, according to the Reuters’ report.
“The FBI is aware of these possible computer intrusions and has opened an investigation to address the potential cyber threat,” FBI spokesman Jason Pack said on Thursday. AT&T, which has exclusive U.S. rights to carry the iPad, has acknowledged the security breach but said it had corrected the flaw and that only email addresses were exposed to hackers who identified a security weakness.
In all, more than 114,000 email addresses are believed to have been exposed. One source in the telecommunications industry said it was not surprising that the FBI was looking at the breach. “If there’s a high profile data compromise it’s not unusual to get a phone call from government officials,” said the executive, who asked not to be named.
The leak could have affected all iPad 3G subscribers in the U.S., according to Gawker, which broke the story on Wednesday. Among the iPad users who appeared to have been affected were White House Chief of Staff Rahm Emanuel, journalist Diane Sawyer, New York Mayor Michael Bloomberg, movie producer Harvey Weinstein, and New York Times CEO Janet Robinson.
A group that calls itself Goatse Security tricked the AT&T site into disclosing the e-mail addresses by sending HTTP (hyper text transport protocol) requests that included SIM card serial numbers for iPads, the report said. Because the serial numbers, called ICC-IDs (integrated circuit card identifiers), are generated sequentially, the researchers were able to guess thousands of them and then ran a program to extract the data by going down the list.
AT&T spokesman Mark Siegel confirmed the breach to CNET, saying the company turned off the feature that provided e-mail addresses on Tuesday, one day after learning of the problem from someone not affiliated with the hacker group.
“AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device,” he said in a statement. “We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained,” he added. “At this point, there is no evidence that any other customer information was shared.”
Charlie Miller, an analyst with Independent Security Evaluators, argued that the breach had nothing to do the iPad’s security. “The actual vulnerability is pretty basic, but the loss of data is not serious, in my opinion. The data on the iPad and the devices themselves were never compromised or vulnerable,” Miller said via e-mail.
George Kurtz, chief technology officer for security software company McAfee, also downplayed the severity of the breach. “I would guess that this application vulnerability gained so much attention because, after all, it is Apple we are talking about,” Kurtz wrote in a blog post. “The hype around Apple products — like the new iPhone and iPad — is amazing. However, the reality is this type of vulnerability isn’t really news and happens all day long.”
But the security gaffe isn’t likely help AT&T win any friends among Apple customers. The carrier has been criticized by iPhone users for the quality its network. “Everybody realizes security is an issue all companies have to deal with,” BTIG analyst Walter Piecyk said. “Apple has endured the reputation of AT&T’s network, which seems to be a much bigger deal.” [via Reuters, Gawker and CNET]