Jury convicts hacker over AT&T-iPad user data breach

Jury convicts hacker over AT&T-iPad user data breach

Summary: Found guilty, a hacker is now facing the appeals process after being accused of stealing data belonging to over 100,000 iPad users.

TOPICS: AT&T, iPad, Security, Tablets
Andrew Auernheimer hack conviction apple att ipad data breach court case
Credit: Anonymous/CNET

Andrew Auernheimer has been convicted of unauthorized access and stealing the data of iPad users on carrier AT&T's 3G network.

Convicted on Tuesday in a Newark, New Jersey court, the 27 year-old New Yorker was found guilty of one count of "conspiracy to access the servers without permission", as well as one count of identity theft, according to Reuters.

A co-defendant, Daniel Spitler, plead guilty to the same charges and awaits sentencing.

The hackers face potentially five years in prison and a $250,000 fine on each count after allegedly stealing iPad user's email addresses and unique identifier codes -- used to connect the devices to the carrier's 3G network -- after exploiting a security flaw in AT&T's website in 2010.

Auernheimer and Spitler were arrested and charged in January 2011. Using a script called an account slurper, Auernheimer and Spitler were able to forcefully harvest at least 100,000 iPad users' data through matching email addresses with credit card identifiers. However, after the hack, AT&T removed the feature which allowed email addresses to be obtained. 

Auernheimer appears rather upbeat about the verdict, tweeting to his followers:

Andrew Auernheimer hack conviction apple att ipad data breach court case


The news agency reports that Tor Ekeland, a lawyer for Auernheimer said his client is currently free on bail, and will appeal the verdict in a Philadelphia court.

"We disagree with the prosecutors' interpretation of what constitutes unauthorized access to a computer under the Computer Fraud and Abuse Act," Ekeland said.

In a 2010 interview with sister site CNET, Auernheimer admitted to the data breach, but said it was done in order to warn AT&T of the security flaw and protect customers in the long run.

Topics: AT&T, iPad, Security, Tablets

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Double standard

    I wonder why if a household failed to secure the Wifi access point it was the house owner's fault if the network was being used for illegal purposes, while AT&T failed to secure their network it was the hacker that expose flaw in order to warn AT&T.
    • True, but

      Samic, I understand what you're saying, but they didn't just expose a flaw. They exploited it and stole private data. If you use the "a flaw existed" defense, then any person or company that uses quite literally "any" software, hardware, etc. could be legally hacked because it was "their" fault for having an infrastructure that had a flaw in it. Heck, take it a step further and blame banks for having a door that opens that someone could use to rob it. (OK, that's a bit extreme, but you get my point that these individuals are responsible for their actions and shouldn't blame AT&T for something 'they' did.)
      • Also True, but...

        Hemo, I understand where you are coming from. What they did WAS illegal, no question. However, many corporations refuse to patch exploitable systems until something like this happens and they are forced to take action. How fast do you think this would have gotten fixed if Andrew had just reported it through the proper channels? Would AT&T even have responded? Or perhaps this was already known by AT&T's security department, and simply filed away because it was deemed to expensive to fix.

        What I DON'T see is them being accused of using that data for their own personal gain. He even admitted to the hack, in 2010!

        I find this to be ridiculous. Yes, he should be punished for unilaterally harvesting UDID's, but not at 250k PER UDID. And not with any sort of prison sentence. I would say 250k TOTAL would be a deserving punishment.

        I might even go so far as to say AT&T is partially to blame for allowing "credit card identifiers" to be accessed as easily as they were.

        What do you think?
      • True , but

        If you defraud a bank on your mortgage you go to jail, directly to jail, do not pass go and do not collect $200 BUT when a bank defrauds thousands of customers like you nobody gets indicted, nobody goes to jail and they get to "negotiate" their fine. Justice? Only in Obama's mind.
        Albert Shurgalla
        • Obama?

          You have to be kidding, what does Obama have to do with this
        • How soon we forget

          How soon we forget. If you check your facts, I believe you will find that occured under the previous administration.
        • How soon we forget

          How soon we forget. If you check your facts, I believe you will find that occured under the previous administration.
    • Both are guilty

      Actually they are both at fault, or guilty. The person using an unauthorized AP for nefarious purposes (stealing data, etc) is guilty of these same crimes. The person who leaves it open is at fault for doing so and allowing the access to happen.
      Carlos Alvarez
      • Change your locks frequently

        After all, you seem to be implying that every exploit can be anticipated. The article points out that AT&T changed their code after discovery of the hack. There is no indication that they knew it was a problem before hand. Also, the Reuters article indicates Auernheimer did not contact AT&T ahead of time to arrange a test or discuss security, nor did he contact them after the fact, but published the data to Gawker. Hid defense is specious and he is a crook. If you get robbed while away, would you blame yourself or the perp?
        • Reasonable protection

          If AT&T collects personal data they are obliged to protect it.

          Not good enough to not just to not know about the exploit.
    • re:Double Standard

      I agree that people need to be more responsible with their home based wireless networks. However, they are not breaking the law. Look at like this: If a car owner chooses not to lock his car door, or even chooses to leave the key in the ignition. While obviously not the smartest things to do, it does not mean someone can just jump in and drive away. It is still theft, and the car owner would still be the victim, not an accessory.
      • But if you're in Australia . . .

        The simple act of leaving your car unlocked, key in ignition or not, is an offence. If you fill your car and go to pay without locking the car first, you can be charged (especially if the cop got a knockback the night before . . .). And insurance companies (God bless 'em and all their "get out of paying" clauses) will not pay up if it IS stolen.
      • Adding Teeth To Rrrosco's Point

        Two words come to mind "Downstream Liability" (see the following article: http://www.giac.org/paper/gsec/4126/system-security-liability/106532 ). I've worked in personnel, information, and network security for awhile now and one of the first things that I learned from my instructor from sans.org was about this very topic (Downstream Liability). You'll find many papers and discussions on this on the internet. But, simply put, both companies and individuals have a major responsibility in preventing exploits and reporting them so that they can be patched etc. before it comes down to this sort of issue. The "I didn't know I was responsible for patching or securing my system..." statement no longer washes in a court of law (in the US and many other countries). Long story short, we all have a "civic" cyber duty if you will, to protect the data that we are entrusted with whether it be a company or private individual. When Mr. Aurenheimer used a script called an "account slurper" he knew what he was about to do with that script. If he was a certified White Hat Hacker (they are invited to penetrate a company network) and was part of a Red Team that was hired by AT&T to perform a network penetration test; then his story would wash about wanting to prove to AT&T there was a flaw in their software. For the obvious fact that he wasn't under there employ and crossed the companies network boundary and not only found the data, but retrieved it from their network from across that boundary without their express consent and permission again shows what amounts to a "Breaking and Entering". Trust me, if anyone of us did not practice "due diligence" in locking our doors of our vehicles and "assume" that we're not going to get ripped off; then I wouldn't blame the police or the insurance companies one bit for not wanting to support us in our time of need. On the other hand, if after protecting our goods by not having them out in plain site nor leaving the doors unlocked and in turn creating a "deterrent" to frustrate such a crime (in AT&T's case I would submit they go to great lengths to ensure this sort of thing doesn't happen...they are bound by law to do so as the article states); then we would have a legitimate right to file charges against someone for breaching out property boundaries and prosecute this criminal to the fullest extent that the law would permit. In short, all of us have an obligation to be responsible for our actions. If we're constantly trying to shirk this responsibility; then should we expect people, police, courts of law, corporations, etc. to take us at our word that we were " ...it was done in order to warn AT&T of the security flaw and protect customers in the long run." as Mr. Aurenheimer would have all of us believe?
    • Maybe AT&T should do five years of additional taxation

      for allowing Data to be stolen from a server that lacked proper security controls. Do we ever nail the corporation for failure to protect its users? How about AT&T give each of the 100,000 users a free year of service? Pay up AT&T...PAYUP!
  • Ha ha, he got server.

    The first rule of a hacker is not to be tracked.
    • That's what they all say....

  • whitehat?

    "but said it was done in order to warn AT&T of the security flaw and protect customers in the long run...."

    Ah, so if someone pulls a gun out in a movie theater and shoots people, he is only pointing out the flaw of people not wearing bullet-proof vests, right?
  • It's not called hacking.

    ZDNet, when will your so-called tech writers get this right?
    • Wrong, it IS hacking (we simply have to agree to disagree)

      Sorry to spoil your party, but the ENTIRE WORLD is NOT going to "bend their definition" of 'hacker' to the will of a handful of people who nit-pick about the nuances of the definition. Plain and simple, you can complain about it all you want, but the generally-understood 'world view' of a hacker is: "Someone who HACKS into systems." Period. Point-blank. Exclamation point! End of discussion. i.e., Non-technical "Joe Schmoe on the street" would freak out if you showed him some article, and it said, "So, the Cracker was guilty of..." he would say, What the f$? Not to mention that 'Cracker' also has been given other bad connotations as well.

      I mean, it's great for you to be "filled with purpose" and try and "save the rep" of what [YOU] personally consider to be hackers; but, if you are as intelligent as you "think" you are, then get a clue and realize NOBODY is going to change the "world view definition," just because a few people seem to pick nits about the details of that definition.

      Bottom line: to the 'real world,' there is NO DISTINCTION whatsoever between hacker, cracker and script kiddie - they all are people who HACK into (aka "break into") systems, without permission, often for nefarious purposes, but sometimes to point out flaws.

      Continue being "noble," if you want, regarding arguments about your specific definition, but you will have to convince the ENTIRE WORLD to bend to your view; and... that ain't happenin'.

      And, to be consistent with what the general public understands, it is in ZDNet's best interest NOT to alter the definition - i.e., stick with the "generic" definition of hacker (i.e. the general public knows a hacker to be the person who breaks into systems). In the 'tech world,' sure we can pinpoint some distinctions, but it's really not worth arguing about.
  • this idiot

    is from my home town. He went and bragged to the media about the exploit. Not only that, they found cocaine and other hard drugs at his house. Guy is an idiot. I lectured him on keeping your mouth shut before he went to jail.

    Calling him a hacker is like calling a script kiddy a hacker. This guy has no real programming knowledge, he used a brute force attack on an email form with out a captcha. Any 12 year old could have done it. Only, this idiot got caught. Way to go .

    He also tried to tell girls on okcupid he was the e-prophet to sleep with them. Worked on one tweeked out cracker.