Black Web 2.0
Damage Control: AT&T Apologizes for Breach
Jun 14, 2010 Aug 20, 2013

The week opens with AT&T offering a sincere apology via email to the 114,000 iPad 3G users that were affected in last week's security breach. The hole exposed the users' email addresses to the nefarious forces that be. Luckily, the nefarious ne'er do-wells in this case weren't so nefarious. A hacking team known as Goatse Security, discovered the chink in iPad's armor last Monday, swiping the precious personal information.

In the email apology, AT&T's Senior Vice President, Public Policy and Chief Privacy Officer, Dorothy Attwood assured those affected that only their emails were exposed and as soon as the breach was made public, the disabled the mechanism that made the debacle possible. She also made sure to dish out a healthy dose of "thrown under the bus" at Goatse Security stating that:
"The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity."

According to Engadget, the hackers left some high-profile people feeling awfully exposed including the CEOs of both Time Inc. and The New York Times, as well as a number of government employees. While Goatse claims they meant no harm, they have been drawing fire for not reporting the security flaw directly to AT&T, opting instead to take the info over to Gawker. The fur really hit the fan once the FBI got involved which left Goatse circling the wagons and issuing a statement via the team's blog.

"We did not contact AT&T directly, but we made sure that someone else tipped them off and waited for them to patch until we gave anything to Gawker. This is as “nice guy” as it gets. We had no interest in direct dialogue with AT&T, but we waited nicely for them to get their house in order and get their hole plugged tight before exposing it.

This disclosure needed to be made. iPad 3G users had the right to know that their email addresses were potentially public knowledge so they could take steps to mitigate the issue (like changing their email address). This was done in service of the American public. Do you really think corporate privacy breaches should stay indefinitely secret? I don’t. If you’re potentially on a list of exploit targets because someone has an iPad Safari vulnerability and they scraped you in a gigantic list of emails it is best that you are informed of that sooner than later (after you’ve been successfully exploited). We did this to help you."
So now that the dust has cleared and "only" email address information was compromised, do you approve of Goatse's brand of "help"? Do you think AT&T's apology was sufficient? Let us know in the comments section.