Was the iPad Breach Enabled By AT&T Layoffs?
Apple should be angry that AT&T exposed iPad 3G owners' private information to hackers. Layoffs in AT&T's top security office, which reportedly took place just weeks before the debut of the iPad, should make it positively livid.
The iPad cellular provider laid off 15 to 20 percent of the staff in the Chief Security Office earlier this year, says one source close to at least one member of the staff. The source believes this amounted to upwards of 200 people. The CSO group, headed by AT&T Chief Security Officer Ed Amoroso, is in charge of IT security at AT&T. The group kept its layoffs quiet, our tipster said, to avoid damaging the image of deep security expertise its sells to businesses.
The layoffs appear to have gone into effect in March, judging from the resumé of one affected manager. That would have been within a month of the iPad's ship date, and within two months of the release of a 3G version that communicated using AT&T's cellular network.
The layoffs seem puzzling given that AT&T had just posted profits up 25 percent to $3.1 billion. The profits rose on strong performance in the wireless division, whose association with the iPhone helped it surpass Verizon Wireless in new customer additions. The wireless division continued to add customers and revenue the next quarter, even as a health care charge ate into its profits.
Simple greed could be one explanation. Our source was told upper management intentionally cut CSO payroll and accepted "greater risk in operations" to fatten up company profits and even their own bonuses. Of course, the chatter among laid off workers has been known to diverge from reality, and we've asked AT&T for comment. We'll update this post when we hear back.
It's worth noting, though, that the PHP script used to harvest iPad customer email addresses and network IDs from an open AT&T Web server was quite simple. One or more researchers at Goatse Security set their browser identification Web header to look like the iPad's, and then fed a series of guessed ID numbers into the script, which was not guarded by a password or other authentication scheme beyond the one Web header. Just the sort of thing a qualified, seasoned staffer in AT&T's IT security office should have been able to spot fairly easily—assuming he or she had survived the layoffs.
If you know more about the situation, we'd love to hear from you.
Update: AT&T sent us a statement through a spokesman, reading:
"We are not going to get into specific numbers, but I can tell you that we have in fact been beefing up our resources in mobility security over the last quarter — including an active outside hiring effort."
It appears the layoffs occurred in March or earlier, so it's possible this "beefing up" helped replace some of the reductions of the prior quarter.
Update 6/15: Our original tipster estimated the number of CSO office layoffs at upwards of 200. We've added that detail to the story.