BlueToad, Inc. responsible for Apple UDID Theft

[security curmudgeon <jericho () attrition org>]

http://blog.bluetoad.com/2012/09/10/statement-from-bluetoad-regarding-the-cyber-attack-suffered-in-the-recent-case-of-stolen-apple-udids/

Statement from BlueToad regarding the cyber attack suffered in the recent 
case of stolen Apple UDIDs

Posted on September 10, 2012 by BlueToad Inc.
Written by Paul DeHart, CEO and President

A little more than a week ago, BlueToad was the victim of a criminal cyber 
attack, which resulted in the theft of Apple UDIDs from our systems. 
Shortly thereafter, an unknown group posted these UDIDs on the Internet. 
At BlueToad, we understand the importance of protecting the safety and 
security of information contained on our systems.

Although we successfully defend against thousands of cyber attacks each 
day, this determined criminal attack ultimately resulted in a breach to a 
portion of our systems.

When we discovered that we were the likely source of the information in 
question, we immediately reached out to law enforcement to inform them and 
to cooperate with their ongoing criminal investigation of the parties 
responsible for the criminal attack and the posting of the stolen 
information.

We have fixed the vulnerability and are working around the clock to ensure 
that a security breach doesn't happen again.  In doing so, we have engaged 
an independent and nationally-recognized security assurance company to 
assist in our ongoing efforts.

We sincerely apologize to our partners, clients, publishers, employees and 
users of our apps.  We take information security very seriously and have 
great respect and appreciation for the public.s concern surrounding app 
and information privacy.

BlueToad does not collect, nor have we ever collected, highly sensitive 
personal information like credit cards, social security numbers or medical 
information.  The illegally obtained information primarily consisted of 
Apple device names and UDIDs - information that was reported and stored 
pursuant to commercial industry development practices.

Upon Apple's recommendation several months ago, we modified our code base 
to discontinue the practice of reporting UDIDs.  We have now also 
discontinued storing any UDID information sent to our servers by apps that 
have not yet been updated to the new code base.

We understand and respect the privacy concerns surrounding the data that 
was stolen from our system.  BlueToad believes the risk that the stolen 
data can be used to harm app users is very low.  But that certainly 
doesn't lessen our resolve to ensure that all data is protected and kept 
from those who seek to illegally obtain it.

We will continue to monitor this situation and cooperate with law 
enforcement in the investigation of the parties responsible for this 
crime.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.