X

Two charged in AT&T-iPad data breach

Members of hacker group who claimed responsibility for AT&T-iPad Web site breach are charged with conspiracy to access a computer without authorization and fraud.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
4 min read
The criminal complaint includes Internet Relay Chat logs purportedly between Auernheimer and Spitler.
The criminal complaint includes Internet Relay Chat logs purportedly between Auernheimer and Spitler. Click to enlarge.

Two men were charged with computer crimes today for allegedly hacking into AT&T servers and stealing e-mail addresses and other information of about 120,000 iPad users last summer.

Andrew Auernheimer, 25, was arrested in his home town of Fayetteville, Ark., while appearing in state court on unrelated drug charges, and Daniel Spitler, 26, of San Francisco, surrendered to FBI agents in Newark, N.J., according to the U.S. Attorney's office in New Jersey. Both men were expected to appear before federal judges in Arkansas and New Jersey.

They each face one count of conspiracy to access a computer without authorization and one count of fraud in connection with personal information. They're also looking at a maximum of 10 years in prison and a $500,000 fine.

Auernheimer was ordered held until a bail hearing set for Friday, while Spitler was released on $50,000 bail and ordered not to use the Internet except at his job as a security at a Borders bookstore, according to an Associated Press report. In comments to reporters outside the Newark courthouse, Spitler said he was innocent and that: "The information in the complaint is false. This case has been blown way out of proportion."

Auernheimer told the magistrate that he had been drinking until 6:30 that morning and said of the complaint: "This is a great affidavit--fantastic reading," according to the AP report.

Last June, Auernheimer told CNET that members of his hacker group, which calls itself Goatse Security, uncovered a hole in AT&T's Web site used by iPad customers on the 3G wireless network and went public with it by revealing details to Gawker Media.

Up until then, AT&T automatically linked an iPad 3G user's e-mail address to the iPad's unique number, called Integrated Circuit Card Identifier (ICC-ID) so that whenever the customer accessed the AT&T Web site, the ICC-ID was recognized, the e-mail address was automatically populated and the ICC-ID was displayed in the URL in plain text.

Spitler is accused of writing a script called the "iPad 3G Account Slurper" and using it to harvest AT&T customer data via a brute force attack on the site, which fooled the site into revealing the confidential information, according to the criminal complaint filed last week but unsealed and released publicly today.

The complaint includes Internet Relay Chat messages supposedly sent between Auernheimer and Spitler in which they talk about selling the e-mail addresses to spammers, shorting AT&T stock before releasing details of the breach, and destroying evidence.

"If we can get a big dataset we could direct market iPad accessories," Auernheimer says in a message to Spitler, according to the complaint.

In another chat session included in the complaint, Spitler says he would like to stay anonymous so he doesn't get sued. "Absolutely may be legal risk yeah, mostly civil you absolutely could get sued," Auernheimer replied, the complaint read.

Before going to Gawker, Auernheimer also allegedly contacted Thomson-Reuters and the San Francisco Chronicle, and sent an e-mail to a board member at News Corp. whose e-mail address was leaked in the breach in attempts to get news articles written about the incident, according to the complaint.

Asked if he reported the hole to AT&T, Auernheimer replied "totally but not really...I don't (expletive) care I hope they sue me," according to the chat logs.

"Those chats not only demonstrate that Spitler and Auernheimer were responsible for the data breach, but also that they conducted the breach to simultaneously damage AT&T and promote themselves and Goatse Security," the U.S. Attorney's office said in a statement.

AT&T has spent about $73,000 as a result of the breach, including contacting all iPad 3G customers to notify them, the complaint says. Among the iPad users who appeared to have been affected were White House Chief of Staff Rahm Emanuel, journalist Diane Sawyer, New York Mayor Michael Bloomberg, movie producer Harvey Weinstein, and New York Times CEO Janet Robinson.

Auernheimer told CNET last summer that the data exposed in the breach was contained. The concern was that iPad users who had their e-mail addresses exposed would then be at risk of receiving phishing or spam e-mail that appeared to be from Apple or AT&T but which was designed instead to trick them into revealing more information or downloading malware.

Auernheimer did not return an e-mail seeking comment, and Spitler could not be reached. AT&T did not immediately respond to a request for comment.

Auernheimer, a self-described Internet "troll," was arrested last June when authorities found drugs while searching his home for evidence related to the AT&T-iPad investigation. He was later released on bail.

Updated 5:20 p.m. PDT with details on Spitler release on bail, Auernheimer held pending bail hearing and their comments inside and outside court.