They denied it, but readers claim that AT&T is exposing credit cards and shipping information during iPhone 4 pre-orders. Wrong shipping information is even being used by AT&T and Apple's websites to send units to the wrong people. [Updating live]
The first iPhone 4 pre-order day was a total disaster, with collapsed AT&T and Apple servers unable to take any orders, multiple incorrect purchases, reservations that didn't reserve anything, physical stores closing or having to take order with pen and paper, and, the worst of all, people entering into AT&T's account servers and seeing different customers' information on screen.
By itself, that's a major security problem. But it gets worse. According to emails sent by readers, the ordering system is mistakenly showing and using the wrong customers' personal information. Not only that, but the problem is affecting other systems: Reader Christian du Lac saw his credit card information changed to another person in his AT&T Wi-Fi Premium account:
From: Christian du Lac
Subject: whose credit card? not mine
Date: June 16, 2010 12:54:17 AM EDT
To: Jesus Diaz
Great coverage on the iPhone/AT&T disaster.
I was one of the lucky ones who secured an iPhone upgrade — at 2:30am west coast time, after over an hour of server failures, etc.
On a matter perhaps related to the AT&T server software update you reported on today: I have an AT&T Wi-Fi Premium account — the kind that you can use at Starbucks — that I want to cancel, since Starbucks is making wi-fi free in a couple of weeks.
When I enter my account to remove my credit card info, it describes my card as an American Express, and shows a partial account number and expiration date. Problem is, it's not my card: I haven't had an Amex account in 12 years. (Screenshot attached).
The problem is not limited to AT&T account system, however. Since the iPhone 4 upgrades require an AT&T contract, Apple has to use AT&T's systems to process the orders. The Apple Store requires the phone to be shipped to the address listed in the AT&T service contract. Nothing wrong with that, until AT&T sends Apple the address information from the wrong customer. This is what happened to reader Melissa Phillips:
From: Melissa Phillips
Date: June 16, 2010 2:20:49 AM EDT
To: Jesus Diaz
Had this happen to me twice when attempting to order through the Apple Store. Once you get to the check out, evidently they will only ship to the AT&T billing address and random addresses have come up.
The first time it happened I was in the Apple Store in Jacksonville and we were about to hit the final check out button when my husband noticed the shipping address was somewhere in Virginia to a name that wasn't ours. We backed out and were never able to get that far again so we left the store.
Got home and tried again on the Apple website.. not AT&T around 2:00 am, this time it happened again with a different address and having read your article I knew what was up. I took the attached screenshot. Shut the browser down, tried again in a completely different browser and it went through.
Scary to think how many people purchased through Apple website and were so happy that it was finally working that they never noticed the incorrect shipping addresses. On the other had many people are going to be getting some free iphones...
That's precisely the bigger problem: Not only AT&T has exposed credit card and shipping address information through their servers and the Apple Store, but it may be very possible that many people have used this wrong information to place the order. This could result in people placing an order with their credit cards, and other people receiving the iPhone 4. That seems to be the case of Gregory S:
From: Gregory S
Subject: iPhone 4 Order Security Breach Exposes Personal Information
Date: June 16, 2010 7:24:45 AM EDT
To: Jesus Diaz
I just received an order confirmation yesterday for an iPhone 4 and I did not even order one! I was googling around to see if this happened to anyone else and I found your article on Gizmodo.
This is amazing! I thought it was fake at first but after checking the order status on AT&T's website I knew it was a real order. Now I just wonder if it will come to my house.
Given the level of mails about mistaken identities we are receiving, it seems that this won't be the only case. Like one of the readers pointed out, many could have been so happy to be able to make the purchase yesterday that they may have not noticed the wrong shipping address. Add to that the iPhone reservations that really didn't happen, the orders that were never placed by overloaded servers, and the orders that were placed several times, and you will have another disaster on the iPhone 4 launch day.
If you thought you made a pre-order or a reservation yesterday, make sure that everything is right before the day comes. [Gizmodo's iPhone 4 Pre-Order Disaster Coverage]
Update 1: As reader Breanna points out, check your order status for duplicated orders or mistakes. She got three orders instead of one:
Subject: Apple iPhone preorder issue
Date: June 16, 2010 10:18:49 AM EDT
To: Jesus Diaz
You should advise people to go to Apple's order status and log in with their apple ID to check their orders.
I did this this morning and I found three orders for an iPhone that had been processed successfully. I only have one confirmation email in my inbox. I cancelled the other two and got cancellation emails right away.
This boggles my mind because only twice did I ever get to the check out part of the site, and one time it locked up while processing payment (and since I never got a confirmation email I just assumed it didn't go through and tried again).
I literally spent 15 hours yesterday, non stop, attempting to order the phone— 2 hours on the phone with Apple, 1 call to AT&T.
A very frustrating experience, and I've screen capped the whole thing. It's going to make a fun video :)
Update 2: Some people are benefiting from the debacle, getting $200 upgrade prices even while they don't qualify:
Subject: AT&T / Apple Debacle - I got mine for the upgrade price when not qualified.
Date: June 16, 2010 10:18:23 AM EDT
To: Jesus Diaz
Good thing for me that Apple and AT&T didn't have their act together. I finally got on last night ~10PM Central Time and pre-ordered my iPhone 4. When I went through though it was one $200! I just bought the 3GS last year about a week after it was released, so in theory there is no way I should be getting this price. I know the account information is correct because it forced me to use the correct billing address. I had an earlier made a reservation to pick up the phone at the Apple store near me on the 24th, but unless this deal collapses I'm just going to count my blessings and wait for it to arrive (July 6-8th since it was later in the day).
P.S. Please don't publish my name as I would hate to have them see it and dig through to cancel it.
Update 3: More security problems coming in:
Subject: iPhone screwup
Date: June 16, 2010 9:50:31 AM EDT
To: Jesus Diaz
So it looks like I am getting a free iPhone from AT&T because of some guy named John (I won't reveal his last name) ordered one. The confirmation came from one of my other email accounts which is tied to my AT&T account. It has his credit card information but my shipping address. I work in IT so I can see how bad this is for security reasons. I didn't order an iPhone and I don't even get wireless service from AT&T. Someone screwed up badly on this and I would be demanding that AT&T purge all orders from yesterday ASAP. As it looks now though I am getting a free iPhone from AT&T and I don't know if I should return it or keep it, if it arrives.
Update 4: Another order made with the wrong person's credit card and address:
From: J. Arroyo
Subject: Security Breach: my personal experience
Date: June 16, 2010 1:53:13 PM EDT
To: Jesus Diaz
This morning I checked my bank account to notice a negative balance of $291.57. Looking over the transactions, I saw a charge of $543.29 added to my accound from the Apple Store. I logged into my iTunes account from the Apple website to notice a 32GB iPhone was ordered, but someone elses name and shipping address was listed. I don't know what kind of security breach is this, but in my defense I was livid.
I spent all morning on the phone between my bank, AT&T, and Apple to get the situation settled before I went to work. I was told everything was fixed accordingly and I should see the balance restored on my account by the end of the day.
Regardless, this predicament has set my mind on two things: One, I'll never pre-order or buy an iPhone on release day, and two, I dread the same time next year when Apple decides to announce their next one.
Update 5: Yet another mixed up order:
Date: June 16, 2010 11:18:09 PM EDT
I too had this problem. I just checked my bank statement and I had an iphone purchased on my account from Bethlehem, PA. from an AT&T shop. I did NOT even buy an iphone from AT&T. I do NOT even live in Pennsylvania, I live in Brooklyn.
I really do hate them.