Stratfor's back, defiant but blushing over unencrypted subscriber data

Filed Under: Data loss, Featured, Vulnerability

Stratfor's site was back up on Wednesday following attackers having kicked its servers offline on Christmas Eve.

Except then it was back down - this time from the crush of interest in its rebirth, according to what the site had to say at Wednesday 3:07 E.S.T.

George Friedman, CEO StratforStill up was a video message from Stratfor founder and CEO George Friedman that was in turns 1) a frank admission of failure to encrypt subscriber data and 2) a defiant denial that Anonymous — who claimed responsibility for the attack — had found sensitive intelligence from governments or corporations, let alone signs of Stratfor's involvement in a vast conspiracy, as attackers claiming Anonymous affiliation had Tweeted.

In the video, Friedman recounted the chain of events, which started with the FBI contacting Stratfor about a breach in early December. Because the investigation was ongoing, the company initially didn't have to publicly reveal the theft, he said.

That changed when the attackers struck again later last month. The FBI advised Stratfor that this time, they expected the hackers to publicize the theft.

Here's what Friedman had to say about the attack, along with his mea culpa about storing unencrypted customer files:

We knew our reputation would be damaged. All the moreso because we had not encrypted the credit card files. This was a failure on our part. As CEO of Stratfor, I take responsibility. This failure created hardship for our customers and friends. I deeply regret that it took place. The failure originated in the rapid growth of the company. As it grew, the management team and administrative processes didn't grow with it. There was a failure of oversight. … That's not a justification. It's simply an explanation.

Broken hard driveThe company was "shocked" at the destruction of its servers, Friedman said, calling it "not a typical hacker attack. The intent was clearly to silence us."

He denied that Anonymous had gotten hold of client information; rather, they got subscriber information. Stratfor is a subscription-based publisher that sells political, economic and military analysis as reports and analysis that it delivers via the web, email and video.

Stratfor has since moved its e-commerce process to a third-party system to do away with the task of processing credit cards or storing/encrypting credit data.

The Christmas attack resulted in thousands of stolen credit card numbers, email addresses and passwords.

Thieves subsequently put through charges on those credit lines, Stratfor subscribers reported, while notes allegedly coming from Anonymous members crowed about the security firm's lack of care in tending its database.

They also accessed email addresses and passwords to send out fake messages under victims' names, including one email supposedly from Friedman about changes to Stratfor services, including making premium content available for free due to the inconvenience of their services being unavailable.

Anonymous maskThe attacks, Friedman said, enable anonymity and undermine accountability, forming a "new censorship that doesn't come openly from governments" but rather from "people hiding behind masks."

Meanwhile, the attempt to silence Stratfor has failed, he said.

That's a powerful statement about accountability. It comes from a source and a context we rarely see: A company that openly admits when they've failed to execute proper security.

This is the type of response that we should demand from all companies who suffer data breaches; particularly those attacks in which customer data is doxed.

Kudos for getting back up and running, Stratfor. Kudos for offering a year of fraud protection to your doxed subscribers.

And kudos, Mr. Friedman, for accepting responsibility and vowing to improve security.

, , , , , , ,

You might like

5 Responses to Stratfor's back, defiant but blushing over unencrypted subscriber data

  1. Jeremy Leman · 827 days ago

    I have to say I do not like the tone of this, it's making them look great... for what? being hacked? Having no security whatsoever? For admitting the obvious?

    Because no, apologizing does _NOT_ make it OK to store customer information including cc details + cvs in plain text and easy to grab.

    Hell even their own employees should not have access to this information in plain text.

    Article = biased

    @Flwz

  2. Michael · 827 days ago

    Stratfor shoudn't kick itself too hard. The problem with corporate databases is they can't be encrypted, since multiple users must be able to access and modify them in real time. Security of those databases instead depends on stuff like access control, which is notoriously difficult to do properly, and only allowing specific trusted clients to connect to the network.

  3. jmb98115 · 827 days ago

    Yeah, transferring all of your "secure ops and data" to another party is the solution. Security achieved, Congrats. Hopefully, the outsourced second party hasn't laid out the welcome mat, as well.

  4. I think the tone of this is almost right on -- it doesn't make them look great: they did something stupid, were caught doing it, and have now admitted all of what they did (and didn't) do.

    While their original practice should NEVER happen (even RAD systems allow you to encrypt this data these days -- don't accept code from people who don't use basic security), the straight talk is a breath of fresh air for me.

    In a time when politicians and CEOs have learned the rule "never admit guilt," and that if you repeat something loudly enough and often enough, people will believe it, having someone say "this is what happened, and this is where we messed up. We're not going back into normal operation until it's fixed" is ALWAYS to be lauded -- after all, I have yet to see an organization who hasn't been lax somewhere in its IT security.

    IT security should be about more than just making the right initial decisions -- it should also be about how the organization responds to failure of IT systems, and how it handles forward-looking security.

    While Stratfor messed up right out of the gate, I for one appreciate what it has done since then. Unlike so many other organizations, I don't expect them to make the same mistake twice, and I expect them to have a reasonable action plan to deal with the mess ensuing from their next mistake.

  5. Lisa Vaas · 794 days ago

    I agree: It's pathetic that being upfront about mistakes is so rare. Because it is, though, it's laudable.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.