AT&T iPad data leak: Hack or hype?

Compromised data was limited to e-mail addresses, many of which are already publicly available, but authorities still plan to probe the incident.

The FBI has launched an investigation into the possible hack of AT&T’s Web site, in which hackers took the e-mail addresses of more than 100,000 Apple iPad users, including some in U.S. military and civilian agencies.

The question appears to be who, if anyone, should be targeted in the investigation.

"The FBI is aware of these possible computer intrusions and has opened an investigation," FBI spokeswoman Katherine Schweit told the Wall Street Journal, but she declined to comment on the focus of the investigation.

A group of hackers exploited a flaw in AT&T’s Web site and, with an automated script, collected the e-mail addresses of about 114,000 users of the 3G iPad, including notable people in industry, media and politics, along with some in the military and other government agencies. The list included New York City Mayor Michael Bloomberg, Diane Sawyer of ABC News, film producer Harvey Weinstein and White House Chief of Staff Rahm Emanuel, according to Gawker, which first reported the breach.

E-mail addresses of users at the Army, the Defense Advanced Research Projects Agency, the Federal Aviation Administration, the Federal Communications Commission, the Justice Department and NASA also were collected.

Security experts have said the incident is unlikely to result in damage to the iPad users because the only thing exposed were e-mail addresses, along with the users’ ICC identification numbers, which authenticate them on AT&T’s network. That could result in increased spam or phishing attacks, but in many cases, the e-mail addresses of high-profile people and government employees are publicly available already.

One of the hackers who took the addresses told CNET that the group released the e-mail addresses to a Gawker reporter only after AT&T had been informed and had closed the weakness in its Web site – and after the reporter agreed not to show the full e-mail addresses and ICC IDs. They were partially blacked out in images shown on the Gawker site.

The group also has said that incident wasn’t actually a hack or intrusion, because the information was available to anyone, gained from a public Web site without the use of a password.

Meanwhile, AT&T has apologized for the incident, telling CNET, "We apologize that this happened. Nothing is more important to us. It's the No. 1 priority, protecting customer privacy."

Security experts have criticized AT&T for having that information accessible to anyone clever enough to retrieve it, but otherwise have downplayed the impact of the incident, suggesting it is getting attention mostly because of the iPad’s popularity, Apple’s reportedly strained relationship with AT&T -- its exclusive provider for the iPhone and iPad -- and the notoriety of the people on the e-mail list.

"I would guess that this application vulnerability gained so much attention because, after all, it is Apple we are talking about," George Kurtz, chief technology officer for McAfee, wrote in a blog post. “However, the reality is this type of vulnerability isn't really news and happens all day long."

Bloomberg, one of the victims, also dismissed the incident. "It shouldn't be pretty hard to figure out my e-mail address," he said in a report by MSNBC, "and if you send me an e-mail and I don't want to read it, I don't open it. To me it wasn't that big of a deal."

The FBI has said only that its investigation is in the early stages. But if investigators find the the information gained from the site was not used for fraudulent purposes, security experts said, it is unlikely that any charges would be filed.