AT&T email address security breach: Can hackers track a SIM card?

AT&T email address security breach: Can hackers track a SIM card?

Can you explain the recent hack involving the compromise of thousands of email addresses? Was it Apple's fault or AT&T? Is there really a risk that users' location data may be compromised as well?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

The recent Web security attack involving an email address security breach and compromise of SIM card serial numbers of iPad owners appears to be AT&T Inc.'s fault. According to Ed Amoroso, chief security officer at AT&T, the company pre-populated its website with email addresses to make renewal easier for users, and the attackers were able to exploit a vulnerability in AT&T's website to extract the data. While AT&T appears to be responsible for the security of the system, Apple Inc. should have been doing its due diligence to ensure its partners adequately protected its customers' sensitive data.

The exposure of email addresses of important or famous people has been getting the most attention in this attack, but the breach of SIM card serial numbers (which are related to ICC-IDs and IMI numbers used in the cellular system) is potentially much more significant. These numbers are used for determining the location of the cell phone/device and could put people at higher risk of having their locations tracked by unknown persons via their cell phones. In order to track a SIM card the attacker would need access to the cellular network, but such access could be easily gained and would allow the attacker to track and target an individual cell phone. Enterprises should make sure they are aware of the risk to the physical security of their users who have been exposed as a result of this attack and take precautions, like advising high-risk employees to turn their phones off when not in use.

This was first published in July 2010

Back to top