Stratfor’s back, defiant but blushing over unencrypted subscriber data

Stratfor’s site was back up on Wednesday following attackers having kicked its servers offline on Christmas Eve.

Except then it was back down – this time from the crush of interest in its rebirth, according to what the site had to say at Wednesday 3:07 E.S.T.

George Friedman, CEO StratforStill up was a video message from Stratfor founder and CEO George Friedman that was in turns 1) a frank admission of failure to encrypt subscriber data and 2) a defiant denial that Anonymous — who claimed responsibility for the attack — had found sensitive intelligence from governments or corporations, let alone signs of Stratfor’s involvement in a vast conspiracy, as attackers claiming Anonymous affiliation had Tweeted.

In the video, Friedman recounted the chain of events, which started with the FBI contacting Stratfor about a breach in early December. Because the investigation was ongoing, the company initially didn’t have to publicly reveal the theft, he said.

That changed when the attackers struck again later last month. The FBI advised Stratfor that this time, they expected the hackers to publicize the theft.

Here’s what Friedman had to say about the attack, along with his mea culpa about storing unencrypted customer files:

We knew our reputation would be damaged. All the moreso because we had not encrypted the credit card files. This was a failure on our part. As CEO of Stratfor, I take responsibility. This failure created hardship for our customers and friends. I deeply regret that it took place. The failure originated in the rapid growth of the company. As it grew, the management team and administrative processes didn't grow with it. There was a failure of oversight. … That's not a justification. It's simply an explanation.

Broken hard driveThe company was “shocked” at the destruction of its servers, Friedman said, calling it “not a typical hacker attack. The intent was clearly to silence us.”

He denied that Anonymous had gotten hold of client information; rather, they got subscriber information. Stratfor is a subscription-based publisher that sells political, economic and military analysis as reports and analysis that it delivers via the web, email and video.

Stratfor has since moved its e-commerce process to a third-party system to do away with the task of processing credit cards or storing/encrypting credit data.

The Christmas attack resulted in thousands of stolen credit card numbers, email addresses and passwords.

Thieves subsequently put through charges on those credit lines, Stratfor subscribers reported, while notes allegedly coming from Anonymous members crowed about the security firm’s lack of care in tending its database.

They also accessed email addresses and passwords to send out fake messages under victims’ names, including one email supposedly from Friedman about changes to Stratfor services, including making premium content available for free due to the inconvenience of their services being unavailable.

Anonymous maskThe attacks, Friedman said, enable anonymity and undermine accountability, forming a “new censorship that doesn’t come openly from governments” but rather from “people hiding behind masks.”

Meanwhile, the attempt to silence Stratfor has failed, he said.

That’s a powerful statement about accountability. It comes from a source and a context we rarely see: A company that openly admits when they’ve failed to execute proper security.

This is the type of response that we should demand from all companies who suffer data breaches; particularly those attacks in which customer data is doxed.

Kudos for getting back up and running, Stratfor. Kudos for offering a year of fraud protection to your doxed subscribers.

And kudos, Mr. Friedman, for accepting responsibility and vowing to improve security.