Intelligence firm Stratfor reels after data breach. What did hackers get?
Stratfor is cooperating with law enforcement after hackers stole credit card information from its subscriber list, and experts say any attempt by the data thieves to help charities will probably backfire.
Nick Ut/AP/File
The risks of cyber break-ins were exposed again over the holiday weekend as the firm Strategic Forecasting, known as Stratfor, faced an intrusion by hackers that compromised client data and credit card numbers.
The private firm provides analysis of geopolitical and security issues to clients who range from the US military to large corporations. Stratfor is based in Austin, Texas.
Hackers breached the firm's computer systems, claiming to act as the group known as Anonymous, which has perpetrated other cyberattacks this year.
The online infiltrators released thousands of credit card details, passwords, and home addresses from Stratfor's private client list, via the information-sharing website Pastebin.
This data breach is not just embarrassing for a prominent purveyor of intelligence, but also potentially worrisome for Stratfor's clients.
Stratfor is in damage-control mode following the breach. Its website is closed for maintenance. It has warned clients via e-mail about the risk to data such as credit cards. It is working with law enforcement to pursue the data thieves.
The firm also sought to reassure clients that the hackers did not gain access to all types of data.
"Contrary to this assertion the disclosure was merely a list of some of the members that have purchased our publications and does not comprise a list of individuals or entities that have a relationship with Stratfor beyond their purchase of our subscription-based publications," the firm said in an e-mail to members on Christmas Day, according to news reports.
The hackers announced their intention to use the credit cards for charitable donations. Experts on data security say that any "Robin Hood" goal of the attack will likely backfire.
"These actions will just end up hurting the charities, not helping them," writes Mikko Hypponen of F-Secure in a blog post. "When credit card owners see unauthorized charges on their cards, they will report them to their bank or credit card company. Credit card companies will do a chargeback to the charities, which will have to return the money. In some cases, charities could be hit with with penalties. At the very least, they will lose time and money in handling chargebacks."
One goal of the hack may be to harass an array of Stratfor clients who include members of the US military and intelligence communities.
Mixed signals about the role of Anonymous emerged Saturday, as some online posts denied the group was behind the attack.
A statement purporting to come from Anonymous said the group would not target Stratfor. "As a media source, Stratfor's work is protected by the freedom of press, a principle which Anonymous values greatly," the statement said. It said the perpetrators were seeking to portray Stratfor "in false light as a company which engages in activity similar to HBGary."
The security firm HBGary Federal faced a cyberattack earlier this year, after one of its executives said publicly that he hoped to identify members of Anonymous. [Editor's note: The original version of this story failed to give the full name of the firm HBGary Federal.]
Whoever is behind the attack, the incident underscores the vulnerabilities in computer networks that hackers can exploit.
The issue of cybersecurity has grown increasingly important to both government and corporations, and some members of Congress are calling for greater cooperation between the public and private sectors.
Two weeks ago, Rep. Peter King (R) of New York and Dan Lungren (R) of California introduced a bill that, Mr. King said, is designed to protect "our critical infrastructure without a heavy-handed and burdensome regulatory approach that could cost American jobs."
The Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act (PrECISE Act), would set up a private sector body to share threat information with the government "while also protecting privacy and civil liberties," the bill sponsors say.