A hacker charged with federal crimes for obtaining the personal data of more than 100,000 iPad owners from AT&T's website was found guilty on Tuesday.
Andrew Auernheimer, 26, of Fayetteville, Arkansas, was found guilty in federal court in New Jersey of one count of identity fraud and one count of conspiracy to access a computer without authorization.
The jury reached its verdict just hours after being sequestered.
Auernheimer tweeted to supporters that he expected the verdict and planned to appeal.
X content
This content can also be viewed on the site it originates from.
Auernheimer and Daniel Spitler, 26, of San Francisco, California, were charged last year after the two discovered a hole in AT&T's website in 2010 that allowed anyone to obtain the e-mail address and ICC-ID of iPad users. The ICC-ID is a unique identifier that's used to authenticate the SIM card in a customer's iPad to AT&T's network.
The iPad was released by Apple in April 2010. AT&T provided internet access for some iPad owners through its 3G wireless network, but customers had to provide AT&T with personal data when opening their accounts, including their e-mail address. AT&T linked the user's e-mail address to the ICC-ID, and each time the user accessed the AT&T website, the site recognized the ICC-ID and displayed the user's e-mail address.
Auernheimer and Spitler discovered that the site would leak e-mail addresses to anyone who provided it with a ICC-ID. So the two wrote a script - which they dubbed the "iPad 3G Account Slurper" – to mimic the behavior of numerous iPads contacting the web site in order to harvest the e-mail addresses of iPad users.
According to authorities, they obtained the ICC-ID and e-mail address for about 120,000 iPad users, including dozens of elite iPad early adopters such as New York Mayor Michael Bloomberg, then-White House Chief of Staff Rahm Emanuel, anchorwoman Diane Sawyer of ABC News, New York Times CEO Janet Robinson and Col. William Eldredge, commander of the 28th Operations Group at Ellsworth Air Force Base in South Dakota, as well as dozens of people at NASA, the Justice Department, the Defense Department, the Department of Homeland Security and other government offices.
The two contacted the Gawker website to report the hole, a practice often followed by security researchers to call public attention to security holes that affect the public, and provided the website with harvested data as proof of the vulnerability. Gawker reported at the time that the vulnerability was discovered by a group calling itself Goatse Security.
AT&T maintained that the two did not contact it directly about the vulnerability and learned about the problem only from a “business customer."
Auernheimer later sent an e-mail to the U.S. attorney's office in New Jersey, blaming AT&T for exposing customer data, authorities say.
"AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders," he wrote, according to prosecutors. "I advise you to discuss this matter with your family, your friends, victims of crimes you have prosecuted, and your teachers for they are the people who would have been harmed had AT&T been allowed to silently bury their negligent endangerment of United States infrastructure."
But prosecutors say his interest went beyond concern about the security of customer data.
According to the criminal complaint, a confidential informant helped federal authorities make their case against the two defendants by providing them with 150 pages of chat logs from an IRC channel where, prosecutors said, Spitler and Auernheimer admitted conducting the breach to tarnish AT&T's reputation and promote themselves and Goatse Security.
At one point the two discussed the legal risks of what they were doing:
At the same time, others on the IRC chat allegedly discussed the possibility of shorting AT&T's stock.
In the wake of news stories about the breach, they allegedly discussed their failure to report the vulnerability to a "full disclosure" mailing list, as well as the opportunity to push their Goetse Security business as a result of the breach:
Spitler pleaded guilty to the charges last year.