AT&T did it again. After exposing private data on more than 114,000 iPad 3G customers, Apple's cellular partner has inadvertently shared iPhone account data amid a flood of pre-orders. And a customer sent us screenshots to prove it.
An AT&T customer logged in to his wireless account to attempt to pre-order the forthcoming iPhone 4. The next thing he knew, he was staring at a stranger's account screen.
AT&T server's have been straining under the flood of iPhone pre-orders, spitting up error screens and causing long lines at stores. But the server strain has also resulted in customers seeing other people's accounts during the ordering process , according to emails published in Gizmodo (see update #2). "I entered my information and ended up in someone else's account with access to all their information," one read.
Our customer likewise ended up logged in as someone else, and took some screenshots. We've redacted the last name and zip code of the Colorado customer "Keith" who came up. Keith apparently was ordering through the "IRU" institutional buying program of a national realtor, whose name we've also blurred. Said our tipster:
I almost ended up ordering this guy a phone before I noticed the problem. It didn't look like I was going to be asked to verify my account again.
The "start shopping" screen (click to enlarge):
The "phone and device selection" screen (click to enlarge):
It's not clear if our tipster could have accessed other account details from the stranger, as the Gizmodo tipster above reportedly could.
But the disclosure of a real name and zip code — to say nothing of the apparent ability to order an iPhone upgrade on another's behalf — is just going to add to the idea that AT&T is bumbling and inept when it comes to guarding customers' security. It's also another blow to the idea that Apple and its tightly-controlled iPhone and iPad environment can offer a unique haven from the evildoers of the internet, be they scammers, hackers, pranksters or others who would take away what Steve Jobs called your "freedom from programs that steal your private data."
Of course, this is a much easier problem for Apple to solve than AT&T. While we're now told AT&T laid off upwards of 200+ people from its chief security office earlier this month, and needs to replace that expertise, Apple just needs to switch to another cellular partner. At this point, given iPhone and iPad sales, it seems likely like at least one among Verizon, Spring and T-Mobile would be quite eager.
Update: An AT&T insider tells Gizmodo this breach was caused by a last-minute, untested AT&T code update designed to prevent fraud. "There were multiple systems being upgraded/updated, with some updates being related to fraud."
Update: AT&T sent us the following statement:
"We have received reports of customers inadvertently seeing the wrong account information during the iPhone 4 purchasing process. We have been unable to replicate the issue, but the information displayed did not include call-detail records, social security numbers, or credit card information. In the meantime, we are looking into this matter."
[Top photo: AT&T CEO Randall Stephenson holds up an iPhone during a speech in Washington, DC last year. Image via Getty.]