The F.B.I. is investigating a security hole on AT&T’s website that allowed a group to obtain the email addresses of 114,000 iPad 3G owners. Many top corporate executives, senior government officials, important military officers and famous journalists were among those affected. This list includes ABC News' Diane Sawyer, New York City mayor Michael Bloomberg and White House Chief of Staff Rahm Emanuel. It is important to note that this group only obtained email addresses and not entrance to the email accounts or any personal data.
Jason Pact, a supervisory special agent attached to the news media office of the FBI, told the New York Times: “The F.B.I. is aware of these possible computer intrusions and has opened an investigation to address the potential cyberthreat.”
Contrary to some reports, Apple iPads were not hacked. It was the security on AT&T’s website that was compromised. This is what allegedly happened:
AT&T provided iPad 3G owners with a feature that allowed them to check their data accounts from their iPad 3Gs. iPad 3G owners typically check their data accounts to see how much data they were using so they don’t run up high bills. To make this feature easy to use, AT&T programmed it so that the user’s email address was automatically inserted in this request. Each email address is linked to an iPad’s ICC-ID. ICC-IDs are the identification numbers that iPads use to communicate with the AT&T network.
This group obtained the email addresses by figuring out the numbering pattern used to create ICC-IDs. It then sent an ICC-ID to AT&T’s website and the website returned the related email address. When the group saw the possibilities, it then wrote a program to automate the process and collected 114,000 email addresses.
The group then went public with what it had done by contacting a reporter who “agreed he would censor the ICCIDs and the e-mails so they couldn't be used to compromise anything”, according to one of its members who was interviewed. The group never contacted AT&T directly.
AT&T issued a statement saying that it was informed of the breach on Monday and closed this security gap by Tuesday by basically turning off the feature that provided the e-mail addresses. It goes on to say that “The only information that can be derived from the ICC IDS is the e-mail address attached to that device” and that AT&T is “continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained".
You should follow me on twitter here for tips, tricks and fun tweets about the Apple iPad.
Comments
Wreckless...If true, this group was nothing less than wreckless to have contacted the media before contacting the company. Standard practice is to contact the company first. Their grandstanding put a lot of sensitive email address at risk. Their wrecklessness was more of a breach than ATT carelessness.
Got something to say?
Examiner.com is looking for writers, photographers, and videographers to join the fastest growing group of local insiders. If you are interested in growing your online rep apply to be an Examiner today!