I guess it could have been much worse. Email and ICC-ID. Most users put their own email addresses at risk by having it displayed on websites and such so, unless there's something very wrong with someone knowing the ICC-ID, it seems pretty minimal
Unless AT&T is hiding that there was more information stolen than the "hackers" or AT&T are willing to admit
One person's email address, combined with harvestable knowledge that they own an iPad, is significantly less valuable than 140,000 such email addresses and direct knowledge that the person behind that email address not only owns an iPad but is expecting any iPad-related offers or news to come to this address. As in, many millions of times less valuable.
This is a Big Deal. AT&T pooh-poohing the "self-described hackers" doesn't help the security situation at all. After all, these "self-described hackers" just bested AT&T's security practices. The best course of action, when a company is SERIOUS about mitigating a security failure, is to be up front with their customers about both the seriousness of the compromised information AND their culpability AND, most importantly, how they are now immunizing themselves from similar attacks.
Instead, AT&T minimizes the compromise, belittles the folks that did it, yet admits to no security failure other than a desire to make things easier for you, their valued customer or whomever it may concern. They claim to have closed this attack vector in he narrowest way possible, by removing the feature, and give no assurance whatsoever that the next time they think of the customer's "convenience" it won't be at the cost of their customer's security.
IMHO, again, AT&T needs to advise their customers to, wherever possible, obtain new email addresses, and to register their iPads again at a new address. They should immediately deactivate and clear the existing registered email addresses and have all customers give them new addresses, with a notice on that screen that the customer should give a different email address than was previously given, that they will not, ever, receive any official communications from AT&T by that other email address, that if they receive anything purporting to be from AT&T or Apple on that email address then they should report it. They should then, in detail, explain where their security failed and how they are going about fixing things. I expect, here, to see concrete instances of similar holes that they found in other processes which after reviewing this attack they plugged immediately.
But, I don't expect any such thing from AT&T, because they are a crap company. Too bad Apple sullies themselves by association.