There’s an ongoing argument in barrooms, pubs and wherever else soccer fans gather about who is the best player in the world. The general consensus right now is Lionel Messi, the Argentinian genius, but others can build a case for Wayne Rooney, Didier Drogba or even Cristiano Ronaldo. A similar discussion often breaks out among security professionals about which vendor currently is wearing the goat’s horns, and while Adobe has topped the list of late, AT&T, a late entrant, is gunning for that number one spot right now.
The evidence here is the mess that’s come from the exposure of personal data belonging to more than 100,000 iPad buyers. The attack, which was disclosed last week, exploited a vulnerability in AT&T’s Web site and enabled hackers to obtain the email addresses of the people who bought specific iPads. In terms of security breaches, this is not the end of the world. Email addresses are sold by the hundreds of thousands every day by spammers and phishing gangs, and it doesn’t look like there’s any easy way for the attackers to match the emails to buyers’ other personal information.
The real problem is AT&T’s response to the iPad breach. Instead of issuing a mea cupla and pledging to do better, AT&T essentially deflected all the blame to the attackers. It’s the corporate version of the Some Other Dude Did it Defense. In an email statement about the iPad breach, AT&T takes little responsibility for the incident. From the email sent by AT&T’s Dorothy Attwood:
The hackers deliberately went to great efforts with a random program
to extract possible ICC-IDs and capture customer e-mail addresses. They
then put together a list of these e-mails and distributed it for their
As soon as we became aware of this situation, we took swift action to
prevent any further unauthorized exposure of customer email addresses.
Within hours, AT&T disabled the mechanism that automatically
populated the e-mail address. Now, the authentication page log-in screen
requires the user to enter both their e-mail address and their
I want to assure you that the e-mail address and ICC-ID were the only
information that was accessible. Your password, account information,
the contents of your e-mail, and any other personal information were
never at risk.
Stop it. Just stop it. Very few customers care a whit about the gory details of the attack. They couldn’t care less whether the “malicious hackers” used some insanely creative tactic that would make Mark Dowd’s head spin or whether they just found a list of email addresses in a Dumpster. What they care about is the outcome, and the outcome here is a Dumpster fire.
It’s all well and good that AT&T identified the problem and fixed it. That’s a given. It should not be the meat of your press release. It should be the last paragraph, following a detailed apology and a promise to do better. Many people in the security and privacy communities have been sharply critical of AT&T for its response, and rightly so. This is precisely how not to respond to an incident like this.
The standard on responses to attacks has been set by organizations such as the Apache Software Foundation, whose main site was compromised last summer. Apache was entirely open and honest about the attack and gave as much detail as it had on hand. That’s the model that AT&T and other organizations that find themselves in these embarrassing situations should follow. It may be painful in the short term, but it’s the best way forward.