Gawker reports on a security problem by AT&T that Gawker says has exposed the personal data of 114,000 Apple iPad owners. AT&T has admitted the breach, but has not identified how many iPad owners were affected. Gawker was tipped off by a member of Goatse Security.
Apple has suffered another embarrassment. A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians. They—and every other buyer of the cellular-enabled tablet—could be vulnerable to spam marketing and malicious hacking.
The breach, which comes just weeks after an Apple employee lost an iPhone prototype in a bar, exposed the most exclusive email list on the planet, a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel’s information was compromised.
It doesn’t stop there. According to the data we were given by the web security group that exploited vulnerabilities on the AT&T network, we believe 114,000 user accounts have been compromised, although it’s possible that confidential information about every iPad 3G owner in the U.S. has been exposed. […]
Then there’s the question of whether any damage can be done using the ICC IDs. The Goatse Security member who contacted us was concerned that recent holes discovered in the GSM cell phone standard mean that it might be possible to spoof a device on the network or even intercept traffic using the ICC ID. Two other security experts we contacted were less confident in that assessment. Mobile security consultant and Nokia veteran Emmanuel Gadaix told us that while there have been “vulnerabilities in GSM crypto discovered over the years, none of them involve the ICC ID… as far as I know, there are no vulnerability or exploit methods involving the ICC ID.”
AT&T told Gawker, “We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained. We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.”