The AT&T data leak is no big deal -- really

The world won't end over the exposed email addresses of 114,000 iPad owners -- but you wouldn't know it from the blogosphere

Getting a chance to bash AT&T twice in two weeks is like getting to hit a pinata filled with $100 bills. Hand me the stick and stand back, boys.

Last week I wrote about AT&T's parsimonious data plan (all-you-can-eat is dead, Jim) and its chowder-headed attempt to silence an angry customer who sent CEO Randall Stephenson two mildly angry emails by threatening to serve him with a cease-and-desist letter. On voice mail. Which the customer promptly posted on Tumblr for all the world to hear.

[ Also on InfoWorld: Want a real reason to pile on AT&T? Cringely can tell you where to direct your scorn in "CEOs gone wild" | Stay up to date on all Robert X. Cringely's observations with InfoWorld's Notes from the Underground newsletter. ]

This week of course, there's the iSpill. A few days ago Gawker reported that hackers working at Goatse Security (more on them in a minute) had managed to steal the email addresses of 114,000 iPad owners via a flaw in AT&T's Website. The blog equivalent of a Level 5 hurricane erupted.

Security iGuide

Gawker called it "Apple's worst security breach... expos[ing] the most exclusive email list on the planet." Even the feds are investigating.

Before I go any further, let me do some disclosure. I'm an AT&T survivor. Last January I ditched Ma Bell's twisted little offspring after more than two miserable years. About five seconds after my contract was up I was gone, never to return. Because when I make a phone call, I really like to be able to hear what the other person is saying, and vice versa. I'm just funny that way, so every opportunity for payback is something I relish.

That's why it pains me to say the following: The iSpill was not actually that bad -- and even security eggheads like Sophos' Graham Cluley agree with me. It's certainly not as bad as Gawker and all the sites that rehashed its report made it sound. Though it's never good when your service provider just coughs up your email address on demand to a crew of hackers, it's not exactly BPgate; this is not the Deepwater Horizon of data spills.

Here's what happened, as I understand it. Like many Websites, AT&T's iPad portal was set up to automatically recognize data plan subscribers and fill in the first half of their logon: their email address. No big deal -- but to identify these users, AT&T relied upon the unique 20-digit code assigned to the SIM card inside the iPad, a number that was also used in the URL of their landing page.

1 2 Page
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies