So you may have thought that the “lost” iPhone 4’s were a bit of an embarrassment for Apple. How about having at least (these are the ones we know about) 114,000 iPad owners private information exposed? This included celebrities, government officials (see below) and the Department of Defense! (see more below).
According to reports on Gawker the breach has exposed the email accounts and the chip ID’s of the early adopters of Apple’s new iPad. Emails such as those of New York Time’s CEO Janet Robinson, Diane Sawyer of ABC News, Mayor Michael Bloomberg and White House Chief of Staff Rahm Emanuel. There were also a number of DARPA domain addresses which is the advanced research division of the Department of Defense. One of those email addresses belonged to the highly respected William Eldredge who “commands the largest operational B-1 [strategic bomber] group in the U.S. Air Force.”
Breach Details: Who did it, and how
The group who did this call themselves Goatse Security who claim to be security experts/hackers looking for flaws so they can be closed and we know they have highlighted vulnerabilities in Firefox and Safari recently.
The group obtained its data through a script on AT&T’s website which was accessible to anyone on the internet (we understand this has now been removed). They guessed some data, made a fake “iPad request” which allows iPad users to connect to the websites and then wrote a script to harvest this information. They say that the script had been shared with other parties prior to AT&T closing it down so it is not known how many users were compromised.
Goatse also say they informed AT&T though AT&T claims a customer informed them. I doubt the latter unless the customer was extremely computer savvy, or was informed by Goatse or a 3rd party with access to the script.
AT&T has confirmed the breach (and the closure) and is investigating the damage.
Apple on the other hand have made no comment. This is unusual, as to be fair, they have no involvement and it wasn’t the iPad that was breached but the AT&T servers, but we would have thought they would have at least made a statement.
Some Ramifications
There are some serious ramifications here. AT&T are playing it down saying it is only email addresses. This time is was – but next time? Also having an email address of some of these VIPs is worth a lot of money. And having an email address can lead to much more (just ask the Twitter executives when their emails were all hacked – from one simple email address). Then there is the DARPA emails.
Worse, AT&T still haven’t contacted customers about the breach!
The New York Times has sent an email to its staff to “turn off your access to the 3G network on your iPad until further notice” and we suggest you all do the same.
Finally, one last food for thought for Apple and AT&T. If you force people to give you private information (and we are directing this at Apple who force you to buy an iPad with a credit card or other private information so they can monitor your account) then make sure you keep it safe!
We sincerely hope that the extra money AT&T is going to be making with its new 3G data plans will be spent on upgrading its security for iPad owners.
Images courtesy of Gawker.com
