Internet Lawyer Blog

AT&T Inc. acknowledged Wednesday that a security hole in its website had exposed iPad users’ email addresses, a breach that highlights how corporations still have problems protecting private information.

A small group of computer experts that calls itself Goatse Security claimed responsibility for the intrusion, saying the group had exploited an opening in AT&T’s website to find numbers that identify iPads connected to AT&T’s mobile network.

Those numbers allowed the group to uncover 114,000 email addresses of thousands of iPad customers, including prominent officials in companies, politics and the military, the group said. Gawker Media LLC reported the breach Wednesday. It doesn’t appear any financial or billing information was made public.

The Federal Trade Commission (FTC) recently filed a series of comment letters with the Federal Communications Commission (FCC) supporting that agency’s consideration of privacy and data security in the development of its Broadband Plan. The first of these letters,[1] dated December 9, 2009, highlights the extent to which federal agencies, including the FTC and FCC, are focusing their resources on privacy and data security issues in response to the rapid expansion in recent years of Internet-based software and data services (commonly referred to as “cloud computing”), and the growing dependence by businesses on authentication and credentialing (what the FTC terms “identity management”).

By way of background, the FCC’s National Broadband Plan[2] sets various goals aimed at providing affordable broadband coverage to areas of the U.S. that go underserved in the current market, including homes, schools, hospitals and local government. The plan also focuses on improving public safety, both through expanding or enhancing broadband services, and promoting cybersecurity and the protection of critical broadband infrastructure. In this respect, the plan makes a number the recommendations, including the creation by the FCC of a “cybersecurity certification regime” and (in conjunction with the Department of Homeland Security) “a cybersecurity information reporting system.” The depth and breadth of these recommendations appears to move the FCC closer to the regulation of data security, an area where activity at the federal level, at least with respect to consumers, has generally fallen under either the Justice Department through criminal investigations, or the FTC via enforcement actions and various other initiatives.

The letter goes on to emphasize some of the FTC’s more significant efforts in this regard, including a 2007 workshop on customer authentication technology and policy, followed by a 2008 report on the same topic, and most notably, the Commission’s enforcement action and $15 million settlement against ChoicePoint for failure to follow reasonable data protection procedures ,— the largest civil money penalty in FTC history. The letter also mentions some of the Commission’s more recent efforts to address privacy challenges surrounding cloud computing, including three roundtable forums on privacy in the age of cloud computing and social networking, the last of which took place in March of 2010.