Apple iPhone 4 Pre-Order Is a Security-Breached Nightmare: AT&T to Blame? [Updated]

ATandT store line

Apple's iPhone 4 (check out our hands-on here) is available for pre-order today. Not purchase, just pre-order, which makes it even crazier that customers have come out in such force that AT&T customer service agents are probably crying themselves to sleep tonight. They should try to sleep--they've got a long day ahead of them tomorrow, given the major security breach that occurred today.

It appears that AT&T was unable to deal with the large number of orders, and since all orders (even from Apple's official site) were routed through AT&T, when AT&T went down, everyone went down with it. And AT&T went down hard. There are reports of waits of 20 minutes per customer (for a procedure that should take no more than a minute or two), and sometimes as long as a few hours. AT&T's site eventually crashed so hard that stores were forced to drastic measures.

Some AT&T stores moved to primitive 20th-century methods like imprinting credit cards with ink and paper. One store in Plainfield, IL simply closed down for the day, unable to take any orders. [Update: My source at AT&T says this is not true.]

Even worse, when orders did eventually go through, many returned errors. Some were charged the full, unsubsidized price ($700), or were billed two or three separate times due to AT&T employees mashing the "submit" button, hoping one would get through.

The worst problem has to be the security breach some customers found. As reported by Gizmodo, some customers, upon logging into AT&T's site to order an upgrade, were actually taken to an entirely different user's page, already logged in. That gives access to a stranger's private billing and calling information. Apparently the breach is due, ironically, to a security update that went out over the weekend. AT&T didn't test the update, and it seems to have backfired.

It's a pretty egregious error. AT&T has yet to respond to my requests for comment, but this is a much more serious breach than, say, the iPad email address leak. I'll update more as we hear more about this situation.

Update: I've just spoken to an AT&T rep, who gave me the following statements. I've truncated the first one, which has a lot of self-congratulations on the iPhone 4's tremendous pre-sales.

iPhone 4 pre-order sales yesterday were 10-times higher than the first day of pre-ordering for the iPhone 3G S last year. [...]

Given this unprecedented demand and our current expectations for our iPhone 4 inventory levels when the device is available June 24, we’re suspending pre-ordering today in order to fulfill the orders we’ve already received.

The availability of additional inventory will determine if we can resume taking pre-orders.

In addition to unprecedented pre-order sales, yesterday there were more than 13 million visits to AT&T’s website where customers can check to see if they are eligible to upgrade to a new phone; that number is about 3-times higher than the previous record for eligibility upgrade checks in one day.

Reading between the lines, that "unprecendented" web traffic may have been the culprit for the slowdown. That kind of traffic can knock a site down, which would be consistent with some of the behavior we saw yesterday.

As far as the security breach goes, AT&T offered a terse statement:

 

We have received reports of customers inadvertently seeing the wrong account information during the iPhone 4 purchasing process. We have been unable to replicate the issue, but the information displayed did not include call-detail records, social security numbers, or credit card information.

 

In the meantime, we are looking into this matter.

What exactly was shown in the login mixup is unclear. We have a few screenshots as evidence which show name, address, and plan details (how many minutes, that kind of thing). There's a link at the top to "Manage my account" which might have lead to other information, including billing and calling information as reported, but we have no evidence to show that that link behaved in that manner. For all we know, it signed the user out, or sent the user to his actual profile, or purchased season one of The West Wing on DVD from Amazon--AT&T's site was acting weird, and that link may or may not have done what it was intended to do.

 

Dan Nosowitz, the author of this post, can be followed on Twitter, corresponded with via email, and stalked in San Francisco (no link for that one--you'll have to do the legwork yourself).

Add New Comment

2 Comments

  • Jonathan Wilder

    In Tokyo, at the Shibuya Apple store, it took four hour hours to process the first lucky 100 or so people in line that were eligible to pre-order for June 24 delivery of the phone. We were told that Softbank's servers were down, presumably under the crush of orders. Softbank is the sole carrier, like ATT in the US.

    Many hundreds of others who came too late to make the first cut, were processed smoothly ahead of the early birds as their orders were not routed through Softbank's servers. Those too late will have to come back two more times: once to go through the registration and second to pick up the phone at some later date.

    I passed by at 4:20 on my way on another errand, before I intended to stand in line, but chose to forgo my errand, and luckliy so. I was fifth from the last eligible for the June 24 pre-order. Security prevented line jumpers so as to guarantee that those who came early would get their phones (black only were available for pre-order.)

    In comparison, 20 minutes seems hardly much to complain about. Nonetheless, the staff was competent and courteous, dutifully providing umbrellas to those in line when the rain began.

  • Mike Zeller

    I encountered those same problems of not being able to login to the internet site for preorder, but then I went to the Apple store & they preordered it by just reserving one for me in 30 secs...