While there's no specific security risk associated with the pairing of ICC-ID and the email address of a subscriber -- other than the likelihood of spam or the possibility of phishing -- it's still a bad, bad thing to be giving away customer data out the front door. How many pairs of IDs and emails did the gang at Goatse Security (yes, that's their name) manage to collect before AT&T became aware of their activities? About 114 thousand.
One hundred and fourteen thousand.
Of course, since the script attack was shared around before AT&T closed the hole, the total number of scraped accounts could be much higher -- possibly up to the total number of iPad 3Gs activated with the carrier. There's no way to know at the moment.
What's particularly stinging about the data scraping is that many of the email addresses appear to be associated with high-profile government or industry iPad buyers. As the Washington Post reported this week, the Apple tablet is a fairly common accessory among White House staff; it looks like chief of staff Rahm Emanuel's email is among the ones discovered, and there are plenty of addresses ending in .mil as well.
As for individuals? Well, in this case we defer to the experts on Apple device security -- or lack thereof -- at Gizmodo: no, you probably don't have much to worry about. It may be a good idea to register devices with a secondary/free email address, just to cut down on spam, but otherwise there aren't really any preventative steps to be taken here.
We've emailed both Apple and AT&T for comment on this story. The statement from Mark Siegel, AT&T's executive director of media relations, is as follows:
"AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.
This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.
The person or group who discovered this gap did not contact AT&T.
We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.
We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted."
Updated to correct number of affected accounts.