Stratfor's shocking data security revealed: firm kept customer details in plain text prior to 2011 hack

By Danny Palmer
16 Jun 2014 View Comments
Jeremy Hammond

Stratfor, the private intelligence firm that was subject to a massive security breach in December 2011, left itself vulnerable to cyber attack by storing credit card details of almost 80,000 customers in plain text, a leaked Verizon security report into the hack has revealed.

The report, revealed to The Daily Dot, suggests Stratfor didn't meet industry data security standards for payment cards including safely storing data using encryption, regularly testing security systems, installing firewalls and restricting access to the information on a need to know basis.

Further reading

In a previous interview about the case with Computing, criminal law attorney Jay Leiderman argued that the insecure nature of Stratfor's data handling was equivalent to leaving a front door open then being burgled.

"If you left your front door open people wouldn't really call it a break-in. To some extent Stratfor were unsecure to the point where it was like their front door was open," he said. "As far as I'm aware, nothing was really hacked in the classic sense."

As a result of the breach, credit card information of 79,062 customers including cardholders' names, addresses and security details were revealed as part of a hacking exercise that saw the personal data 860,000 customers compromised. Those customers included a former Vice President of the United States, a Secretary of State and a CIA director.

The information was acquired by hackers through the interception of around five million internal Stratfor emails, which were later released by whistleblower organisation WikiLeaks as "the Global Intelligence Files". Hackers also used stolen credit card details to make $700,000 in donations to charities.

The incident is thought to have resulted in about $3.8m (£2.2m) in damages and much embarrassment to the firm, and the Verizon report – compiled in February 2012 – suggests the whole cyber security breach could have been avoided if Stratfor had complied with proper data protection policies.

"In light of a confirmed system breach," Verizon says in the 66-page document, "it should be noted that several distinct vulnerabilities and network configurations existed that allowed this breach and subsequent data compromise to occur."

Those vulnerabilities included the same passwords being used on a variety of different devices and employees sharing passwords. "Users commonly use the same password to access email as the password to remotely access a system containing sensitive information," states the report.

The attacks on Stratfor were carried out by hacking group AntiSe, with the group reportedly encouraged to carry out the attacks by Hector "Sabu" Monsegur, the former LulzSec leader who unbeknown to his fellow hackers, had become an FBI informant by that time. Information provided by Sabu was used to sentence eight Anonymous hackers including Jeremy Hammond (pictured), who is currently serving a 10-year prison term for his role in the attack.

But Leiderman told Computing that the authorities could have easily prevented the attack from occurring at all.

"The FBI was kind of part and parcel to this hack, they knew about it [through Sabu], they had to have known about it beforehand. They didn't do anything to warn Stratfor or to take pains to stop it," he said

Reader comments
blog comments powered by Disqus
Newsletters
Is it time to open Windows?

Computing believes that Microsoft will start offering Windows free of charge by 2017. Is this a good thing for the enterprise?

55 %
17 %
6 %
19 %
3 %