Read about it here. Here is what I think about it.
Poor website security practices by AT&T lead to the breach, but like many breaches, AT&T is just the third party. So when everyone references this breach in the future it will be Apple’s name, not AT&T. That being said, this is somewhat symbolic because emails by themselves usually don’t constitute a data breach. It is unclear what other information, if any, was also captured. This is an interesting case because no other time would anyone care about email addresses being exposed. This isn’t about a data breach, it is about a group being able to capture an exclusive list of America’s most influential people and their private email addresses. A list like this simply doesn’t exist. But Goatse (the security consulting group) was able to write a script that systematically harvested these addresses from the AT&T website for any iPad owners that signed up for the 3G service. While they say 114,000 emails were compromised, it is likely that many others were compromised as well. Personally, this is where I think Goatse stepped over the line. They detected and exploited the vulnerability. They told AT&T about it. They wanted press and they have it. But they said that they gave the vulnerability exploit and script to others. Who are these others? What did they do with this information? It is always a slippery slope when a rogue security firm does this type of thing in the first place. But if you are going to do this and already be in a “grey area”, you really shouldn’t give the script out to others to use. That is what makes it go from grey to black very quickly. Let’s all remember it is just email addresses (as far as we know). It isn’t like someone hacked into the government, took over the presidents “red phone” and called in a nuclear strike. But due to the high profile nature of those compromised (you can’t get much higher profile), AT&T and Apple will take a lot of heat for this.
