The FBI and federal prosecutors have arrested two men who allegedly hacked into the iPad accounts of about 120,000 AT&T customers last June, exposing the e-mail addresses and ICC IDs of several top government officials.
Andrew Auernheimer and Daniel Spitler of the Internet hacking group Goatse Security were taken into custody by FBI agents yesterday morning and charged with conspiracy to hack into AT&T's servers and possession of personal subscriber information obtained from the servers, according to U.S. District Attorney Paul Fishman.
AT&T said in a brief statement that it takes its customers' privacy "very seriously and we cooperate with law enforcement whenever necessary to protect it." Apple did not reply to requests for comment, and it remains unclear what responsibility, if any, Apple shares for the iPad's security flaw.
Goatse Security maintains that no criminal act was committed by Spitler and Auernheimer. In a statement, a Goatse representative said the pair had "acted entirely within the law, and entirely for the interests of public security. The flaw was quite literally stumbled upon; AT&T was never targeted, and upon gathering of the data, it was not sold, distributed, or used otherwise (although it certainly had the potential to be used quite maliciously)."
The criminal complaint against Auernheimer and Spitler states that the two men wrote a computer program and used it to hack into AT&T's servers over the course of four days in early June to collect the paired e-mail addresses and ICC IDs of the operator's iPad customers.
The pair then allegedly released the list of e-mails to Gawker.com, which published the list in redacted form along with an article about the breach. The list was estimated at the time to contain 114,000 e-mail addresses and included information about New York City Mayor Michael Bloomberg, former White House Chief of Staff Rahm Emanuel and employees of NASA, Homeland Security and the FCC.
A Goatse Security representative says the list was only given to Gawker on the condition that it would be redacted, as proof that the data breach was not a fictitious claim. "Had it not been released to the media in the way it was, it would have been swept under the rug and users would never have known," a Goatse representative said.
AT&T confirmed the security breach on June 10 and said it had not been contacted by the group who discovered the flaw in its servers. At the time, Auernheimer, who then identified himself as Escher Auernheimer, said AT&T had "plenty of time" to inform the public before the disclosure of the information but failed to act.
At the time of the breach, security experts told Wireless Week that the flaw in AT&T's system was easily avoidable, but that the attack itself was not serious since it appeared no personal information was compromised beyond user's e-mail addresses and ICC IDs.