AT&T accidentally exposed a whole bunch of iPad customers' email addresses. Oh dear! But wait, I'm an AT&T customer! And I have an iPad! Should I be worried? And what exactly was exposed here? Here's the rundown. Updated.
What was leaked?
iPad customers' email addresses (the ones they used to register with AT&T) and ICC-IDs, which Ryan describes here:
ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber.
In other words, AT&T inadvertently made public every email address in its iPad database. It was just up to hackers to find them.
Whose personal data is at risk?
From the looks of it, anyone who bought an iPad with 3G. The exploit was a simple script: a hacker could throw an ICC-ID at AT&T's servers, and they would return its registered email address. ICC-ID are easily guessable, so your account was as likely to be compromised as any other.
Is it still at risk?
No, AT&T closed the exploit "in recent days."
How can I find out if my account was hacked?
Sadly, there's no way to find out right now. Gawker obviously isn't going to publish the data set they received, and it doesn't seem as if anyone has published much data elsewhere. If you saw a massive upswing in spam right after buying your iPad, well, maybe this is why.
How likely is it that my data was compromised?
Ryan's post references a list of 114,000 users whose data was accessed: This, as far as they know, was only shared between the security group that found the exploit, and Gawker. It was a sample set, basically.
That said, Goatse (the security group, not the infamous ass man) provided information on the exploit to other people, meaning that others could have conceivably used it while the exploit was still active. It's possible that your email address has been ripped and sold, but my gut says it's pretty unlikely.
Should I be worried?
As far as your email address being leaked—net effect: spam!—this isn't anything to lose sleep over. And the ICC-IDs, well, they probably aren't of much use to hackers either—though it might be possible to plug the ICC-ID into a SIM cloner. (We've reached out to a security researcher for clarification.)
But to play down this leak due to the relatively harmless nature of the exposed data is to miss the point: A thing that customers had assumed to be private, and entrusted to AT&T, was inadvertently made public. The worry here is less about your email address and ICC-ID than it is about a company that has all kinds of your personal data—your SS#, billing information and the like—can't seem to keep its data safe.
Any lessons? What can I do to safeguard against this?
It's a good policy to use a secondary email address when possible. A lot of the people on Ryan's list used their work email addresses—some from within the upper echelons of government and industry—which is generally a bad idea. But again, this leak isn't so much about the exposed email addresses as it is about data security in general, so the only lesson you could really glean from this is to trust no one, which isn't very useful at all, ha ha! Ugh. [Gawker]
Update: This is what AT&T had to say about the issue:
AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.
This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.
The person or group who discovered this gap did not contact AT&T.
We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.
We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.