IT Project Failures

Michael Krigsman
Home / News & Blogs / IT Project Failures

AT&T iPad data breach hits home

By | June 14, 2010, 4:46am PDT

Summary: Today, thanks to flaws in AT&T’s service, I’m at risk for identity theft along with 114,000 other iPad owners.

I’m one of the lucky people who owns an iPad with built-in AT&T 3G wireless. But today, thanks to flaws in AT&T’s service, I’m at risk for identity theft along with 114,000 other iPad owners.

This morning, I received an unpleasant email from AT&T explaining that someone stole my personal, confidential information due to weakness in AT&T’s security procedures on the iPad.

According to the email, AT&T wants me to have confidence that the thieves did not steal credit card information. However, I must ask AT&T why it is confident the thieves did not steal any additional information. The company was not aware of the theft until after it occurred, so AT&T’s assurances sound empty and disingenuous.

The letter does not include an offer for credit monitoring or even offer a contact number to ask AT&T questions. The only contact information says, “Please do not reply to this email. This address is automated, unattended and cannot help with questions or requests.”

Here’s the letter in its entirety, sent from Dorothy Attwood, Senior Vice President, Public Policy and Chief Privacy Officer for AT&T:

June 13, 2010

Dear Valued AT&T Customer,

Recently there was an issue that affected some of our customers with AT&T 3G service for iPad resulting in the release of their customer email addresses. I am writing to let you know that no other information was exposed and the matter has been resolved. We apologize for the incident and any inconvenience it may have caused. Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence.

Here’s some additional detail:

On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service. The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address. When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the email address associated with the ICC-ID already populated on the log-in screen.
The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity.

As soon as we became aware of this situation, we took swift action to prevent any further unauthorized exposure of customer email addresses. Within hours, AT&T disabled the mechanism that automatically populated the email address. Now, the authentication page log-in screen requires the user to enter both their email address and their password.

I want to assure you that the email address and ICC-ID were the only information that was accessible. Your password, account information, the contents of your email, and any other personal information were never at risk. The hackers never had access to AT&T communications or data networks, or your iPad. AT&T 3G service for other mobile devices was not affected.

While the attack was limited to email address and ICC-ID data, we encourage you to be alert to scams that could attempt to use this information to obtain other data or send you unwanted email. You can learn more about phishing by visiting the AT&T website.

AT&T takes your privacy seriously and does not tolerate unauthorized access to its customers’ information or company websites. We will cooperate with law enforcement in any investigation of unauthorized system access and to prosecute violators to the fullest extent of the law.

AT&T acted quickly to protect your information – and we promise to keep working around the clock to keep your information safe. Thank you very much for your understanding, and for being an AT&T customer.

Sincerely,

Dorothy Attwood
Senior Vice President, Public Policy and Chief Privacy Officer for AT&T
________________________________________
Please do not reply to this email. This address is automated, unattended and cannot help with questions or requests.

(c) 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Related:

Does this data breach make you nervous to do business with AT&T?

[Image from iStockphoto]

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “IT Project Failures”

Topics

AT&T Corp., Failure, Strategy, Management, Michael Krigsman

Michael Krigsman is a recognized authority on the causes and prevention of IT failures.

Disclosure

Michael Krigsman

Michael Krigsman writes and speaks about technology in a manner that most observers consider to be fair and balanced. Michael believes that writing about IT failures, which often have complex causes, creates a unique obligation to be reasonable and accurate in both reporting and analysis.

Michael maintains active personal and professional relationships with enterprise technology buyers, vendors, analyst firms (or individual analysts), consultants, and system integrators. As CEO of Asuret, Michael sells and delivers paid services to members of these same groups.

Vendors regularly reimburse Michael's out-of-pocket travel expenses to attend industry conferences and events. Conference organizers frequently waive entry fees when Michael attends industry events. Michael often speaks at industry conferences and events.

He is a member of the Enterprise Irregulars, a loose association of consultants, investors, industry representatives, analysts, and users of enterprise software.

For daily updates on Michael's activities, follow him on Twitter.

Biography

Michael Krigsman

Michael Krigsman is CEO of Asuret, Inc., a consulting company dedicated to reducing technology implementation failures. Asuret's suite of software tools improve the success rate of enterprise software deployments by quantifying and measuring governance issues that cause most project failures. Michael led the research effort underlying Asuret's model of collective intelligence and its practical application to reducing IT failures in consulting environments. He is a recognized authority on the causes and prevention of IT failures and is frequently quoted in the press on IT project and related CIO issues. He is considered an enterprise software industry "influencer" and provides advice to technology buyers, vendors, and services firms.

Previously, Michael served as CEO of Cambridge Publications, which develops tools and processes for software implementations and related business practice automation projects. Michael has been involved with hundreds of software development projects, for companies ranging from small startups to Fortune 500 organizations. Michael graduated with an M.B.A. from Boston University and a B.A. from Bard College. He is a Board member of the America's Cup Hall of Fame and the Herreshoff Marine Museum in Bristol, RI.

Talkback Most Recent of 3 Talkback(s)

  • AT&T has you locked in, so no freebies for you!
    As far as any free credit monitoring, identity theft insurance, or anything else that AT&T would have to spend actual money on, you can forget it. Where are you going to go? They don't have to do anything to retain you as a customer, so they won't, it's simple corporate math.

    In their favor, it sounds like they identified the exact mechanism of the breach. If that was the only breach, then they are probably correct in their assumption that no other data was stolen. Of course, if this is only the first stage of many failures (like the BP disaster) then you might be at risk and nobody is talking about it until it is publicly discovered and disclosed by somebody else. Considering how lawyer-happy Apple and AT&T are, anybody else disclosing info other than AT&T might be in for a world of grief.
    ZDNet Gravatar
    terry flores
    14th Jun 2010
  • standard non-contact information
    This bugs me.

    The letter does not include an offer for credit monitoring or even offer a contact number to ask AT&T questions. The only contact information says, ?Please do not reply to this email. This address is automated, unattended and cannot help with questions or requests.

    AT&T's clearly stuck in the dark ages vis-a-vis customer service. The company ought to be getting in front of this, not forcing customers to call 800 numbers, playing dial-a-rep, and hopefully finding answers.

    Ridiculous.
    ZDNet Gravatar
    philsimonsystems
    14th Jun 2010
  • RE: AT&T iPad data breach hits home
    Don't Panic! This isn't a big deal according to one of the other ZDNet bloggers.
    ZDNet Gravatar
    Loverock Davidson
    14th Jun 2010

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources