AT&T Apologizes to iPad 3G Customers for Data Leak

[JodyK]

https://forums.macrumors.com/threads/935910/

Was really hoping they would use my post and screenshot that was posted 8 and a half hours before this one.

 

[iZac]

Hermes: What do we do when we break somebody's window?

Dwight: Pay for it?

Hermes: Heavens no! We apologise! With nice cheap words!

 

[Chupa Chupa]

I wonder if by not getting the email it means my info was not in the hacked batch.

 

[skyehill]

Where's my apology from Apple and ATT for the lousy service and dropped calls?

 

[padrino121]

And remember that the hackers ... err, security company ... sent the list to a third / fourth party, not to AT&T.

Why do they believe they broke no laws? Did they have permission to access the accounts / e-mail addresses of those iPad owners? Will the iPad owners experience an increase in SPAM? If so, then prosecute the hackers ... aka security company. Make it as undesirable as possible for anyone to hack another's computer.

"Hack another's computer"? There was no hacking of any computers in this case, have every site you've ever gone to given you explicit permission to access it or does the fact that the site is public give you implicit permission?

 

[bubba*nix]

AT&T should really credit those affected with a year of 3G service for their device. There isn't really an excuse for this, and AT&T needs some PR love after their data plan issues and now this. Come on, AT&T, are you too big to care about your customers anymore?

(FYI, I don't have a 3G iPad, only WiFi, so I'm not saying this because I want a year of coverage).

 

[clayj]

ATT could have at least given those affected 1 free month of service.... wishful thinking on my part but it could help improve their image. Most iphone/ipad users have or at least are developing an increasing amount of animosity toward ATT. From what I have seen from ATT over the past two years I would say customer retention is not a priority or perhaps greed is clouding their judgement.

I agree -- an apology is a good start, but it is not enough.

 

[mizzouxc]

This wasn't a hack...it was a HUGE hole in their security!

I 100% agree. The software the alleged hackers used was likely a 5 line-of-code perl script. All the non-hackers did was submit an ID to the website and it returned data.

I guess by this notion, anyone who uses the command line, perl and curl are hackers.

 

[plazmatyk]

Oh. The action they took was "swift". That fixes everything.

 

[mntentman]

Coincidentally or not, the day this breach occurred is the day my email address got hacked, and everyone in my contacts list received bogus "I am in trouble and need money" emails, supposedly from me. Since the hacker was able to take control of my MobileMe account, my iPad was also wiped remotely. In the end, no lasting damage occurred but it was a major pain and could have been worse.

I did not, interestingly, receive the email from AT&T. I would like to contact this Dorothy Attwood, but can't find anyway to do so through the AT&T site, which will only direct me to customer support. Anyone know how that might be done? Thanks.

 

[andiwm2003]

........................................... I would like to contact this Dorothy Attwood, but can't find anyway to do so through the AT&T site, which will only direct me to customer support. Anyone know how that might be done? Thanks.

well, there are some hackers that can get his mail...........

seriously I don't know how to directly contact him. try a generic email like dorothy.attwood@att.com or similar.

when I got this mail I had two questions:

Why the heck is there no official statement I my info was affected or not?
Can Dorothy ATTwood AT ATT be a fake name?

 

[Arcus]

Great efforts?? Really? Laughable. I would not even call these guys hackers.

 

[jettredmont]

I guess it could have been much worse. Email and ICC-ID. Most users put their own email addresses at risk by having it displayed on websites and such so, unless there's something very wrong with someone knowing the ICC-ID, it seems pretty minimal

Unless AT&T is hiding that there was more information stolen than the "hackers" or AT&T are willing to admit

One person's email address, combined with harvestable knowledge that they own an iPad, is significantly less valuable than 140,000 such email addresses and direct knowledge that the person behind that email address not only owns an iPad but is expecting any iPad-related offers or news to come to this address. As in, many millions of times less valuable.

This is a Big Deal. AT&T pooh-poohing the "self-described hackers" doesn't help the security situation at all. After all, these "self-described hackers" just bested AT&T's security practices. The best course of action, when a company is SERIOUS about mitigating a security failure, is to be up front with their customers about both the seriousness of the compromised information AND their culpability AND, most importantly, how they are now immunizing themselves from similar attacks.

Instead, AT&T minimizes the compromise, belittles the folks that did it, yet admits to no security failure other than a desire to make things easier for you, their valued customer or whomever it may concern. They claim to have closed this attack vector in he narrowest way possible, by removing the feature, and give no assurance whatsoever that the next time they think of the customer's "convenience" it won't be at the cost of their customer's security.

IMHO, again, AT&T needs to advise their customers to, wherever possible, obtain new email addresses, and to register their iPads again at a new address. They should immediately deactivate and clear the existing registered email addresses and have all customers give them new addresses, with a notice on that screen that the customer should give a different email address than was previously given, that they will not, ever, receive any official communications from AT&T by that other email address, that if they receive anything purporting to be from AT&T or Apple on that email address then they should report it. They should then, in detail, explain where their security failed and how they are going about fixing things. I expect, here, to see concrete instances of similar holes that they found in other processes which after reviewing this attack they plugged immediately.

But, I don't expect any such thing from AT&T, because they are a crap company. Too bad Apple sullies themselves by association.

 

[jettredmont]

And remember that the hackers ... err, security company ... sent the list to a third / fourth party, not to AT&T.

Why do they believe they broke no laws? Did they have permission to access the accounts / e-mail addresses of those iPad owners? Will the iPad owners experience an increase in SPAM? If so, then prosecute the hackers ... aka security company. Make it as undesirable as possible for anyone to hack another's computer.

IMHO, not being a lawyer, that is where a criminal case, if any comes of this, will start and end.

"Hacking" is criminalized, but significantly less so than it has been in the recent past (Mitnick et al). Up to the point that they sold their email list to a third party rather than reporting it to AT&T, the "security" company was completely in the right here; I'd want security holes like that pointed out to me, along with proof of the severity of the hole, if I was an engineer at AT&T (and hadn't slit my wrists). But, the moment they turned around and sold the list to Gizmodo et al, they lost white-hat status and made themselves criminals. For that, they should have the book thrown at them.

 

[spazzcat]

I 100% agree. The software the alleged hackers used was likely a 5 line-of-code perl script. All the non-hackers did was submit an ID to the website and it returned data.

I guess by this notion, anyone who uses the command line, perl and curl are hackers.

If you use it to get information you are not entitled to, yes, it would make you a hacker...

 

[Nem Wan]

Where's the apology for AT&T's illegal wiretapping on behalf of the NSA? I guess they don't think it's wrong if the U.S. government asks them to do it.

 

[Full of Win]

All I wanted was a "I got my personal information exposed by AT&T incompetence and all I got was this lousy T-Shirt" T-Shirt. I guess that was too much to ask for.

 

[JAT]

Great efforts?? Really? Laughable. I would not even call these guys hackers.

"Hack another's computer"? There was no hacking of any computers in this case, have every site you've ever gone to given you explicit permission to access it or does the fact that the site is public give you implicit permission?

"The hackers deliberately went to great efforts with a random program to extract..."

This "great" effort probably took them all of 20 minutes to script after discovering the flaw with AT&T's web service.

You are all assuming "hacker" means some awesome code or extravagant work ala The Matrix. It just refers to anyone who steals information through computers. The theft is the key point, not what type of fancy code or fabulous ability was needed.

 

[hexonxonx]

I saw a news story today that claims that the hackers are stating that there are even more security holes with the iPad.

 

[JGowan]

I got my e-mail earlier today... pretty messed up. And the thing that pisses me off is that they offer nothing for those of us whose email addresses were stolen. Seems to me, the least the could do is a month of free service.

Not happy, AT&T, ... not happy.

 

[KeriJane]

I saw a news story today that claims that the hackers are stating that there are even more security holes with the iPad.

Hello.

Are the holes iPad specific or AT&T's fault?

Since the iPad uses standard wifi or 3G service it shouldn't be any more susceptible than anything else using these services...

AT&T does it again?

I got that letter too, so I'm very interested.

Have Fun,
Keri

 

[Dah366]

There are so many problems with AT&T: dropped calls, poor service, and now a data leak. The problem is that if we want to buy 3G Apple products we have to put up with this, when will Apple finally leave AT&T and back their products with a service provider that actually does what they are supposed to?

 

[lkrupp]

There are so many problems with AT&T: dropped calls, poor service, and now a data leak. The problem is that if we want to buy 3G Apple products we have to put up with this, when will Apple finally leave AT&T and back their products with a service provider that actually does what they are supposed to?

Like who for instance? Verizon? Their service makes at&t look good. There is no such thing as a provider that "does what they are supposed to." And forget about T-Mobile or Sprint. The grass is always greener isn't it and bashing at&t is now politically correct behavior for the faux-techies.

 

[cmaier]

I got one of these emails. I like how you can't reply because it's an unattended mailbox...because, you know, AT&T doesn't want to give out a real email address and get a lot of spam.

Ironic. Douchebags.

 

[aprilfools]

It is Monday, June 14, 2010 12:05 PM. I have not yet received the letter from at&t.

Thankfully, I rarely ever receive spam, but over the weekend I started getting some. Hmmmmm. Not many, but 4 or 5 spam emails or so. Not sure if it is connected with the hacker thing or not.