Perhaps AT&T should hire the hackers.

I guess one of the hottest news now is the AT&T incident where 14,000 iPad 3G customer e-mails has been hacked into and exposed.

So if that happens to a company, what should they do? AT&T decided to send out an apology letter.

The whole letter:

June 13, 2010

Dear Valued AT&T Customer,

Recently there was an issue that affected some of our customers with AT&T 3G service for iPad resulting in the release of their customer email addresses. I am writing to let you know that no other information was exposed and the matter has been resolved. We apologize for the incident and any inconvenience it may have caused. Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence.

Here’s some additional detail:

On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service. The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address. When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the email address associated with the ICC-ID already populated on the log-in screen.

The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity.

As soon as we became aware of this situation, we took swift action to prevent any further unauthorized exposure of customer email addresses. Within hours, AT&T disabled the mechanism that automatically populated the email address. Now, the authentication page log-in screen requires the user to enter both their email address and their password.

I want to assure you that the email address and ICC-ID were the only information that was accessible. Your password, account information, the contents of your email, and any other personal information were never at risk. The hackers never had access to AT&T communications or data networks, or your iPad. AT&T 3G service for other mobile devices was not affected.

While the attack was limited to email address and ICC-ID data, we encourage you to be alert to scams that could attempt to use this information to obtain other data or send you unwanted email. You can learn more about phishing by visiting the AT&T website.

AT&T takes your privacy seriously and does not tolerate unauthorized access to its customers’ information or company websites. We will cooperate with law enforcement in any investigation of unauthorized system access and to prosecute violators to the fullest extent of the law.

AT&T acted quickly to protect your information – and we promise to keep working around the clock to keep your information safe. Thank you very much for your understanding, and for being an AT&T customer.


Dorothy Attwood
Senior Vice President, Public Policy and Chief Privacy Officer for AT&T

Well apparently, from a comment I’ve read, the email is signed off with “Please do not reply to this email. This address is automated, unattended and cannot help with questions or requests.”

I like how the letter was written in an easily understood manner and how AT&T warned consumers about they may received in their mailbox due to this incident.

But I were to be caught in such a situation, these are the changes to the letter that I would make:
1. Add in a channel for people to voice and clarify their concerns.
After all, it is their information that’s been leaked. It is only fair to hear them out.

2. Be sincere
The whole feel of this letter sounds more like a blaming-the-hackers-then-praise-AT&T-for-acting-fast ‘fyi’ letter than an apologetic one. Sure, you can still call them malicious and highlight your fast action, but the entire feel of the letter should still be apologetic rather than having this tone covered up by the former two items.

2. Let people know that you are looking for other loopholes.
After providing assurance that emails will never be leaked again, it will be good to provide assurance that no other information will ever be leaked by telling the consumers that the entire system will be checked for loopholes. The best way to do that?

3. Hire the hackers.
This bunch of people are obviously more talented that the staff AT&T had (else they would have built a more secure system). And when you have talents, you want them to work for you, not work against you. As the saying goes, ‘keep your friends close, keep your enemies closer’, so AT&T might as well give these hackers a job to build them a better system.

If they do bust your ass again while being employed in your company, I’m pretty sure there are laws out there to destroy them. (Although my guess is that most people wouldn’t do such a thing to their employer based on the principle of reciprocity, unless they’re badly treated lah.)


Elisha Tan is the Founder of TechLadies. TechLadies is a community for women in Asia to connect, learn, and advance as programmers in the tech industry. Elisha is also the Developer Programs Regional Lead for Asia Pacific at Facebook.


Leave a Reply