AT&T iPad data leak: Hack or hype?

FBI looks into the case, amid questions of whether a crime was committed

The FBI has launched an investigation into the possible hack of AT&T’s Web site, in which hackers took the e-mail addresses of more than 100,000 Apple iPad users, including some in U.S. military and civilian agencies.

The question appears to be who, if anyone, should be targeted in the investigation.

"The FBI is aware of these possible computer intrusions and has opened an investigation," FBI spokeswoman Katherine Schweit told the Wall Street Journal, but she declined to comment on the focus of the investigation.

A group of hackers exploited a flaw in AT&T’s Web site and, with an automated script, collected the e-mail addresses of about 114,000 users of the 3G iPad, including notable people in industry, media and politics, along with some in the military and other government agencies. The list included New York City Mayor Michael Bloomberg, Diane Sawyer of ABC News, film producer Harvey Weinstein and White House Chief of Staff Rahm Emanuel, according to Gawker, which first reported the breach.

E-mail addresses of users at the Army, the Defense Advanced Research Projects Agency, the Federal Aviation Administration, the Federal Communications Commission, the Justice Department and NASA also were collected.

Security experts have said the incident is unlikely to result in damage to the iPad users because the only thing exposed were e-mail addresses, along with the users’ ICC identification numbers, which authenticate them on AT&T’s network. That could result in increased spam or phishing attacks, but in many cases, the e-mail addresses of high-profile people and government employees are publicly available already.

One of the hackers who took the addresses told CNET that the group released the e-mail addresses to a Gawker reporter only after AT&T had been informed and had closed the weakness in its Web site – and after the reporter agreed not to show the full e-mail addresses and ICC IDs. They were partially blacked out in images shown on the Gawker site.

The group also has said that incident wasn’t actually a hack or intrusion, because the information was available to anyone, gained from a public Web site without the use of a password.

Meanwhile, AT&T has apologized for the incident, telling CNET, "We apologize that this happened. Nothing is more important to us. It's the No. 1 priority, protecting customer privacy."

Security experts have criticized AT&T for having that information accessible to anyone clever enough to retrieve it, but otherwise have downplayed the impact of the incident, suggesting it is getting attention mostly because of the iPad’s popularity, Apple’s reportedly strained relationship with AT&T -- its exclusive provider for the iPhone and iPad -- and the notoriety of the people on the e-mail list.

"I would guess that this application vulnerability gained so much attention because, after all, it is Apple we are talking about," George Kurtz, chief technology officer for McAfee, wrote in a blog post. “However, the reality is this type of vulnerability isn't really news and happens all day long."

Bloomberg, one of the victims, also dismissed the incident. "It shouldn't be pretty hard to figure out my e-mail address," he said in a report by MSNBC, "and if you send me an e-mail and I don't want to read it, I don't open it. To me it wasn't that big of a deal."

The FBI has said only that its investigation is in the early stages. But if investigators find the the information gained from the site was not used for fraudulent purposes, security experts said, it is unlikely that any charges would be filed.

Reader Comments

Mon, Jun 14, 2010 Derek Colorado

Note that it was AT&T's website that got hacked. The Apple connection is basic social engineering -- they appear to have been targeting a particular demographic (first adopters of the iPad 3G). I expect to see similar targeting for an Android tablet when one is fielded. The issue here isn't authorization of new technologies on the Federal network but practicing OPSEC and INFOSEC to limit the damage from these kind of targeted attacks, e.g., thinking about what e-mail address to use in conjunction with a high profile service or trinket.

Mon, Jun 14, 2010 Mark Arnold, MD

OH NOOO!!!! Say it ain't so! I thought Apple was hack proof. Looks like we need to be more careful when authorizing use of new technologies on the Federal network .... FYI, it's called security controls and standards.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close
SEARCH
 Top 100 Slideshow
contracts DB

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Read More

  • Is SBA MIA on contractor fraud? Nick Wakeman

    Editor Nick Wakeman explores the puzzle of why SBA has been so silent on the latest contractor fraud scandal when it has been so quick to act in other cases. Read More

Webcasts