After the big security breech that exposed the email addresses of over 100,000 iPad users, AT&T sent out a letter explaining the situation to their users. The full text of AT&T’s explanation is available on the NYTimes site.
The most notable thing about this situation, to me, is that they’re trying to hard to make it sound as if it’s really not they’re fault. They tried to do something nice for their customers, and it’s those big bad hackers who made it into a problem and ruined it for everybody.
That’s garbage.
We’re talking about a large corporation here, with a web interface that was (presumably, at least) set up by professionals in dealing with technology. Anyone with a background in dealing with the Internet who was looking at the way this was implemented (give the site the UCC-ID of an iPad, and it fills in the email address) should have been able to tell that this was a bad plan.
It may very well be that the people who were doing the implementing here knew that it was a problem, did their best to warn the decision-makers, and just got overruled. I think a lot of us can sympathize with those moments of telling someone, “I can make it work that way, but it’s a very bad idea…” and being told to do it anyway.
The real shame here is that AT&T is treating us like we’re stupid enough to believe that they shouldn’t be held responsible for leaving the door open to data that they were supposed to keep secure. Sadly, some people are probably honestly going to be fooled.
The real story here is that these are just the guys that we know about. The public has no way of knowing how many other people might be collecting their contact information (or even more critical data) off of badly designed interfaces into databases that are being run by AT&T.
Sure, this stuff doesn’t become a PR problem until it hits the press, but it’s just wrong to brush something like this off as if it wasn’t an issue before everyone found out about it.
