AT&T iPad Email Breach Hacker Heading To Jail


A former Arkansas man who claimed to be a member of a hacktivist group called Goatse Security was sentenced to three years in prison for his role in a data security breach at AT&T in 2010 in which email addresses and other data were stolen from approximately 120,000 iPad 3G owners.

Andrew Auernheimer, 27, was sentenced Monday in Newark, N.J., federal court. He also was ordered by U.S. District Judge Susan D. Wigenton to pay restitution of $73,162 in damages to AT&T, according to the U.S. Attorney's Office in New Jersey. Auernheimer was convicted in November of conspiracy to access computers without authorization and identity theft.

Auernheimer and other members of the hacktivist group used an automated script, conducting a brute force attack on AT&T servers in June 2010. Called an "Account Slurper," the tool attempted to guess Integrated Circuit Card Identifiers, the unique 19- to 20-digit number associated with every iPad and its SIM card. Each correct guess was rewarded with an ICC-ID/email pairing for a specific identifiable iPad 3G user, investigators said.

[Related: 6 Steps To Address BYOD: A Security Management Roadmap]

Daniel Spitler of San Francisco, another member of the Goatse group, pled guilty in 2011 to the charges and is still awaiting sentencing. The duo were arrested for their role in the AT&T iPad email breach in 2011. Goatse called itself a "loose association of hackers and self-professed Internet trolls bent on disrupting services and content on the Internet."

In July Auernheimer and other members of the group provided stolen email addresses and ICC-IDs to the website Gawker, which published some of the stolen information. The stolen data included a lengthy list of high-profile executives, celebrities and government officials, including New York Times CEO Janet Robinson, Diane Sawyer of ABC News, film mogul Harvey Weinstein and New York Mayor Michael Bloomberg.

Following the disclosure, AT&T investigated the breach and apologized to affected users for its security lapse.

"Auernheimer coordinated a self-serving cyberattack on a United States corporation and tens of thousands of innocent customers in order to promote his business," FBI Acting Special Agent in Charge David Velazquez said in a statement. "Immediately after the attack he attempted to hide all the evidence. Auernheimer's conviction and today's sentence signifies the continued and growing efforts of the U.S. Attorney's Office and the FBI in investigating and prosecuting computer hacking and intellectual property crimes."

PUBLISHED MARCH 18, 2013