Charges Filed in 2010 AT&T iPad Security Breach That Revealed Personal Information

[MacRumors]

Reuters reports that U.S. prosecutors have filed criminal charges against two people involved in an AT&T security breach last year that saw email addresses and SIM identifiers for close to 120,000 U.S. iPad + 3G users exposed.

U.S. prosecutors filed criminal charges against two people accused of stealing the email addresses and other personal data of about 120,000 users of Apple Inc's (AAPL.O) iPad tablet computer.

Daniel Spitler and Andrew Auernheimer were each charged with one count of fraud and one count of conspiracy to access a computer without authorization, prosecutors said.

The FBI has been investigating the situation over the past seven months, and authorities have apparently now finally gathered enough evidence to charge those claimed to have accessed and shared the information. A press conference is reportedly scheduled for this afternoon to allow prosecutors and the FBI to discuss the case.

Auernheimer had previously argued that he had done nothing wrong, simply accessing information made freely available on AT&T's site due to improper security controls. Questions remained, however, about what was done with the information and why he had shared the details of the breach and the harvested information with Valleywag rather than going straight to AT&T.

Article Link: Charges Filed in 2010 AT&T iPad Security Breach That Revealed Personal Information

 

[mwayne85]

I'm gonna go get the papers get the papers

 

[nwcs]

If the FBI has been investigating them and brought the evidence to get them charged then they are probably toast.

 

[Full of Win]

Questions remained, however, about what was done with the information and why he had shared the details of the breach and the harvested information with Valleywag rather than going straight to AT&T.

There was no 'question' why - it was a pissing match between Gawker/Gizmodo and Apple. Gawker used this as a foil against Apple, even thought the fault was with AT&T.

The list had some bigwigs names on it (military Generals, hollywood types). You don't mess with people like that and not expect some blowback.

 

[Consultant]

Sorry, the information wasn't freely available.

 

[Durendal]

If the FBI has been investigating them and brought the evidence to get them charged then they are probably toast.

Weev is already toast. The Feds found tons of drugs when they raided his apartment shortly after he came out with the whole mess.

 

[Small White Car]

Sorry, the information wasn't freely available.

I think it was. He's right about that part.

What he's missing is that once they found the info it's what they did with it that's the reason they're in trouble.

 

[doctor-don]

Set an example for other hackers and throw the book at them. Prosecute to the fullest.

 

[wolfshades]

I'm not surprised it took this long to get the charges laid. The fighing of cybercrime is still pretty much an uphill battle.

 

[Joe-Diver]

Fry 'em. Make examples out of them. Hit 'em as hard as you can.

Questions remained, however, about what was done with the information and why he had shared the details of the breach and the harvested information with Valleywag rather than going straight to AT&T.

That's the key....what was done with the information....that shows the true intentions and character of these folks.....and we don't need 'em.

 

[ThomasJL]

AT&T fails again!

Yet another reason to choose any carrier instead of AT&T. AT&T is infamously known for cutting corners to save a buck, and it is not surprising that they took the cheapskate route by skimping on security.

Shame on Apple for making AT&T an exclusive carrier. Shame on Apple for not including the 1700 MHz AWS band in their iPads and iPhones, which would have allowed the device to be used on T-Mobile's 3G network (as well as other AWS 3G networks overseas).

 

[0815]

I wish people would stop calling this an iPad Security Breach - it was an AT&T security breach that was publishing emails from iPad users on the AT&T website ... nothing to do with iPad security.

I know, this kind of headlines generates more clicks which is good for advertisement - but still sad to see the misleading headline on sites like macrumors.

 

[jamesryanbell]

Everybody who is smart enough to do stuff like that needs to have good enough values NOT to do it. I just like to post utopian idiocy like that from time to time. Just keep going.

 

[louis Fashion]

Book'em Danno

Off with their heads.

 

[NoExpectations]

Set an example for other hackers and throw the book at them. Prosecute to the fullest.

Agreed. Items in retail stores are also "readily available". If you steal those, it's called theft. If you steal and spread personal information "just because you can", you should be prosecuted.

 

[satcomer]

Set an example for other hackers and throw the book at them. Prosecute to the fullest.

I agree with this. Make him the example!

 

[LorenCahlander]

Agreed. Items in retail stores are also "readily available". If you steal those, it's called theft. If you steal and spread personal information "just because you can", you should be prosecuted.

Excellent analogy. I could not agree more.

 

[0815]

I agree with this. Make him the example!

Another agreed from me ... examples have to be set.

 

[aprilfools]

Great. take em down down down...

Take them down, down to china town!
I'm one of those that most likely got compromised as an iPad with 3G user since day one. I used to get zero spam and ever since that happened, I get spam all the time. Coincidence? I don't think so.

Besides the spam aspect, on a bigger note, these guys need to become an example for the rest of the POS hackers out there.

 

[Mark Booth]

Once again, Gawker Media is involved. Maybe these two profited in some way from providing the information to Valleywag (Gawker)? It wouldn't be the first time Gawker paid for a story.

Mark

 

[Full of Win]

Off with their heads.

Sorry, but Danno is dead.

The problem with "off with their heads" is that the next time something like this happens, it will be released as a file on BT by ANON or some untraceable person.

AFAIK this list has not made it to the general public...yet.

 

[shartypants]

They really should have gone straight to AT&T. But, no, they wanted fame.

 

[Cleve]

Excellent analogy. I could not agree more.

Horrible example, I could not agree less.

What they did isn't the same as stealing. Stealing implies that there was something taken. This is just duplication.

It is the same as taking a picture of something and showing something else. In this case, the information was sensitive and insecure. They showed it to a news organization to generate awareness.

If they hadn't, do you think AT&T would have done anything about it?

Now Weev may have other issues with drugs which is another matter entirely but as to the charges here, it sets a bad precedent for whistleblowers.

 

[mohrt]

Agreed. Items in retail stores are also "readily available". If you steal those, it's called theft. If you steal and spread personal information "just because you can", you should be prosecuted.

I don't see how that analogy applies. Items in retail stores are physical items, not intangible data. Retail items cannot be "spread" like data. Items in retail stores are for sale, this data was not.

Not that I'm advocating what he did, but the analogy is not accurate. Maybe the question is, did he "steal" the data, the same as walking out of a retail store without paying for an item? Or is the problem that he collected the data and made it much more readily available to the public? If someone scrapes email addresses off public websites and puts the collected list on a torrent, is that illegal?

 

[Rajani Isa]

Horrible example, I could not agree less.

What they did isn't the same as stealing. Stealing implies that there was something taken. This is just duplication.

Try that one in court. SEE: RIAA, MIAA, etc.

Hell, Aldritch Ames only duplicated information - he didn't steal it at all!

While there were no physical goods taken, it WAS an illegal act; this was a form of theft. The only legal and ethical thing to have done with that list was send it to AT&T and say "Look what I found on your website".

Maybe Apple as well. Just to make sure someone put some heat on AT&T to close that security hole.

I don't see how that analogy applies. Items in retail stores are physical items, not intangible data. Retail items cannot be "spread" like data. Items in retail stores are for sale, this data was not.

Not that I'm advocating what he did, but the analogy is not accurate. Maybe the question is, did he "steal" the data, the same as walking out of a retail store without paying for an item?

So you then think Installous is perfect legit - that as we don't take physical copies of the programs installed via Installous it's not theft?

Or is the problem that he collected the data and made it much more readily available to the public? If someone scrapes email addresses off public websites and puts the collected list on a torrent, is that illegal?

It's one thing to scrape info off a public site - info posted TO the public (like our email addresses here if we have them marked viewable, etc.) where the people it pertains to have opted to have it show.

The issue with the AT&T thing is there is no way those people wanted their SIM info displayed to the public; it was obviously a security breach.

T