AT&T security breach exposes iPad 3G customer data (updated 2x)

A security breach on AT&T's servers has exposed iPad 3G customer data including email addresses and ICC-ID of over 100,000 customers in the U.S.
Written by Jason D. O'Grady, Contributor on

Apple's Worst Security Breach: 114,000 iPad Owners Exposed

AT&T and Apple have suffered a major privacy breach, exposing the email addresses and ICC-IDs of over 114,000 iPad 3G customers -- possibly many more.

According to Gawker the data includes:

a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel's information was compromised.

Apple's Worst Security Breach: 114,000 iPad Owners Exposed

Even worse is the potential security threat this could expose to members of the military that adopted the iPad. On the list are several devices registered to the domain of DARPA, the advanced research division of the Department of Defense, including William Eldredge, who "commands the largest operational B-1 [strategic bomber] group in the U.S. Air Force."

Um, yeah. It's that bad.

Media moguls and celebrities are one thing, but I'm guessing that the government and military users are taking this one pretty seriously too. I'm guessing that Al Qaeda would pay big bucks to have access to Eldridge's iPad 3G?

According to data furnished to Gawker by the Web security group that exploited vulnerabilities on the AT&T network at least 114,000 user accounts have been compromised, although it's possible that confidential information about every U.S. iPad 3G owner in the U.S. has been exposed.

The specific information exposed in the breach included subscribers' email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID. ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber.

AT&T responded by downplaying the impact of the breach:

AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.

This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.

The person or group who discovered this gap did not contact AT&T.

We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.

We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.

New York Times emailed a warning to all of its staff to "turn off your access to the 3G network on your iPad until further notice" while the newspaper's engineers and security staff investigate the issue.

All of the gory technical details are on Gawker and Apple has yet to respond. Until they do, I'd also recommend that iPad 3G users turn off 3G until further notice.

Apple needs to respond and respond quickly as I'm about to return my $900 iPad 3G.

If ever there were a reason for Apple to dump AT&T -- this is it.

Update: Still no response from Apple.

Update 2: The FBI has opened an investigation into the matter.

Related coverage on ZDNet:

Editorial standards