AT&T security breach exposes iPad 3G customer data (updated 2x)

AT&T security breach exposes iPad 3G customer data (updated 2x)

Summary: A security breach on AT&T's servers has exposed iPad 3G customer data including email addresses and ICC-ID of over 100,000 customers in the U.S.


Apple's Worst Security Breach: 114,000 iPad Owners Exposed

AT&T and Apple have suffered a major privacy breach, exposing the email addresses and ICC-IDs of over 114,000 iPad 3G customers -- possibly many more.

According to Gawker the data includes:

a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel's information was compromised.

Apple's Worst Security Breach: 114,000 iPad Owners Exposed

Even worse is the potential security threat this could expose to members of the military that adopted the iPad. On the list are several devices registered to the domain of DARPA, the advanced research division of the Department of Defense, including William Eldredge, who "commands the largest operational B-1 [strategic bomber] group in the U.S. Air Force."

Um, yeah. It's that bad.

Media moguls and celebrities are one thing, but I'm guessing that the government and military users are taking this one pretty seriously too. I'm guessing that Al Qaeda would pay big bucks to have access to Eldridge's iPad 3G?

According to data furnished to Gawker by the Web security group that exploited vulnerabilities on the AT&T network at least 114,000 user accounts have been compromised, although it's possible that confidential information about every U.S. iPad 3G owner in the U.S. has been exposed.

The specific information exposed in the breach included subscribers' email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID. ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber.

AT&T responded by downplaying the impact of the breach:

AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.

This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.

The person or group who discovered this gap did not contact AT&T.

We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.

We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.

New York Times emailed a warning to all of its staff to "turn off your access to the 3G network on your iPad until further notice" while the newspaper's engineers and security staff investigate the issue.

All of the gory technical details are on Gawker and Apple has yet to respond. Until they do, I'd also recommend that iPad 3G users turn off 3G until further notice.

Apple needs to respond and respond quickly as I'm about to return my $900 iPad 3G.

If ever there were a reason for Apple to dump AT&T -- this is it.

Update: Still no response from Apple.

Update 2: The FBI has opened an investigation into the matter.

Related coverage on ZDNet:

Topics: Mobility, Apple, Hardware, iPad, Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: AT&T security breach exposes iPad 3G customer data (Updated)

    2 million refunds? this breach cannot be true! Being #1 means being #1 target
  • apple?

    how is that apple's fault? wasn't it a security breach at att?<br><br>ah, sorry, i forgot, we're at zdnet. and it's jason! click baiting, phoney outrage stories about all things apple even if they have nothing to do with it. it doesn't get much lower than this.
    banned from zdnet
    • RE: AT&T security breach exposes iPad 3G customer data (Updated)

      [i]it doesn't get much lower than this. [/i]

      Sure it does. You're here.
      Hallowed are the Ori
      • you're welcome

        @James T. Kirk
        thanks for the flowers.
        banned from zdnet
      • RE: AT&T security breach exposes iPad 3G customer data (Updated)

        You're welcome too. <img border="0" src="" alt="happy">
        Hallowed are the Ori
  • phoney

    and by the way, we are talking about email-adresses here, no full "contact information" as fud spreading jason wants to imply. woaahh, email-adresses. al qaida!! it's that bad! the sky is falling.
    banned from zdnet
    • RE: AT&T security breach exposes iPad 3G customer data (Updated)

      @banned from zdnet (and the haters)

      Let me get this straight. You'd be fine with AT&T exposing your email address ICC-ID to the world? What if Microsoft did it? What if Google did it?

      You lose all credibility and expose yourself as troll when you say things like exposing your email doesn't matter! What's worse is when you (conveniently) ignore the fact that the ICC-IDs were also exposed.

      If I had posted something to the fact of "AT&T exposed iPad data - no big deal" (as Adrian did: you would have JUMPED DOWN MY THROAT.


      - Jason
      Jason D. O'Grady
      • actually no

        @Jason D. O'Grady
        you implied full customer contact information were revealed. but it turns out, no! it wasn't, no address, no credit card information or social security numbers, no, only the email-address! opps.

        sure, some may get more spam now, but you mentioned Al Qaeda could make use of it. it has become a matter of national security!! are you nuts? if this isn't a phoney outrage garbage post spreading fud, i don't know.
        banned from zdnet
      • the lowest of the bloggers

        @Jason D. O'Grady
        and now you have changed your post without clarification. as i said, it doesn't get much lower than this.

        first it was: only "contact information", now you changed that to "contact information email addresses and ICC-IDs".

        though you are at least admitting that you did wrong you are too chicken to clarify it. poor, very poor. don't you have any standards at zdnet?
        banned from zdnet
  • RE: AT&T security breach exposes iPad 3G customer data (Updated)

    Do you REALLY think that there is classified material on an iPad that goes over the AT&T network? If so, then I'd like to suggest that you don't understand the policies and precautions taken to ensure security of sensitive information.
  • by the way

    it is a security breach on att's systems (most likely running on windows) doesn't that make it a windows security breach? just asking.
    banned from zdnet
  • RE: AT&T security breach exposes iPad 3G customer data (Updated)

    Denim Group CTO Provides Insights & Commentary Regarding AT&T / Apple Data Security Breach
  • RE: AT&T security breach exposes iPad 3G customer data (Updated)

    The hordes of experts fixing windows problems are scared. They would have little to do if we all move to apple. It is in their vested interest to create fud.
    • RE: AT&T security breach exposes iPad 3G customer data (Updated)

      @Nofuzzydreams Let's get this out in the open. How many Mac "experts" are there in the world? Spreading S*** with a silver spoon doesn't change what it is.
  • RE: AT&T security breach exposes iPad 3G customer data (Updated)

    you paid $900 for an iPad? sweet mother of crap! You SHOULD return it