The man who hacked AT&T to gain iPad user details in 2010 was sentenced to 41 months in jail last night.
Andrew Auernheimer, known as ‘Weev', was sentenced after he exploited a weakness on the website of AT&T that allowed him and a co-conspirator to obtain data on roughly 120,000 Apple iPad users, including politicians and celebrities. The weakness was patched shortly afterwards, but early iPad users including New York Times CEO Janet Robinson, film mogul Harvey Weinstein and New York Mayor Michael Bloomberg were affected.
Apple bore responsibility for ensuring the privacy of its users, although the vulnerability was confined to AT&T servers. Auernheimer and co-defendant Daniel Spitler worked under the name ‘Goatse Security', and wrote a PHP script to automate the harvesting of data, that was shared with third-parties prior to AT&T closing the security hole. Spitler took a plea bargain in 2011.
Auernheimer turned over the information to the Gawker website, which posted some partially redacted addresses, prompting an FBI investigation. Auernheimer was arrested on drug charges six days after the details of the breach were released
Auernheimer fought the charges in court, believing they were bogus because he did not technically hack into anything but merely tricked a publicly available site, with the help of a script written by Spitler, into divulging the information.
He argued that he didn't use any classic hacking techniques, such as brute force or SQL injection and he never sought to profit off the information he discovered, only to shame a major corporation such as AT&T for poor security practices.
Auernheimer's attorney Tor Ekeland said he plans to file an appeal today with the third circuit court of appeals. The Electronic Frontier Foundation said it would join Auernheimer's legal team to litigate his appeal.