Stratfor hacked; clients and credit card numbers exposed

Intelligence and security research group Stratfor was hacked Saturday, and a a list of clients, personal information and credit card numbers purloined from its servers.

Having exposed the group's customers, the hackers apparently used the card numbers to make donations to the Red Cross and other charities.

The New York Times' Nicole Perlroth writes that the attack was also likely intended to embarrass Stratfor. She ends with a curious quote from Jerry Irvine, a member of the Department of Homeland Security's cybersecurity task force:

“The scary thing is that no matter what you do, every system has some level of vulnerability,” says Jerry Irvine, a member of the National Cyber Security Task Force. “The more you do from an advanced technical standpoint, the more common things go unnoticed. Getting into a system is really not that difficult.”

Sure, if it's a web server, exposed to the public by design.

But Stratfor didn't just expose a website to the public. It also, apparently, put all this other stuff online, in the clear, for the taking.

It's true that websites are like storefronts, and that it's more or less impossible to stop determined people from blocking or defacing them now and again.

Here, however, it looks like Stratfor left private files in the window display, waiting to be grabbed by the first guy to put a brick through the glass.

Now, I'm not a member of the national IT security planning task force. But I'm pretty sure that putting unencrypted lists of credit card numbers and client details on public-exposed servers isn't quite explained by "no matter what you do, every system has some level of vulnerability."

UPDATE: One Anon claims that the hack was not the work of Anonymous. However, the usual caveats apply: no structure, no official channels, no formal leaders or spokespersons.



    1. So many AOL users…  the mind boggles about “sensitive security intelligence” being delivered to people who need a voice to tell them…
      You’ve got mail!

  1. With security minded nabobs like this in charge of “cyber” security and security think tanks, it’s no wonder the Chinese know what I ate for breakfast.

    1. I trusts that release as much as I trust Sony saying they have a text file that proves it was all Anonymous all along owning their systems and their entire lapse in judgement and security can be blamed on the text Expect Us.

      Well that and its to well written, and extolls the virtues of the company always being right…

      One just needs to see what else might show up for #LulzXmas to decide who is being truthful.

    2. Isn’t Anonymous a leaderless loose mix of hackers who act in concert only when they feel like it?  How can anyone speak for them? 
      Personally, I think whoever hacked Stratfor performed a public service in exposing an insecure company, not to be trusted with your personal details or credit card numbers.

      1. Yes.

        But as far as I can see it, most anons don’t like to “play” with credit card information.

        It IS a good troll, though. So it might still be possible.

  2. I think the “gee whiz, whaddyagonna do?” kind of response that sounds so inappropriate here is kind of the default response for this sort of attack. I mean, if you’re talking to a reporter, especially in a paper as widely read as the NYT, what would you rather put out there? That you fucked up and left your data wide open to attack, or “we tried, but hackers will break in no matter what so it isn’t our fault at all”?

    It’s just like a politician…they won’t give a correct, nuanced response if it might make them look even the tiniest bit bad, so everything is ludicrously over-the-top.

  3. I’m not sure that it’s accurate to describe Stratfor as a security research group.  I haven’t checked out their site in a while but in the past they’ve been almost entirely focused on analysis of international events–not security/technology.

    1. This is correct. But as a merchant accepting payment cards, Stratfor should have known better than to store unencrypted card numbers — it’s a violation of the most basic PCI DSS requirements, and they’re going to catch hell from their acquiring bank. Why wasn’t Stratfor outsourcing this to a payment gateway? They can’t be doing that high a volume of card transactions per annum.

      1. Sure, no argument from me.  All I was trying to point it is that it’s misleading to think they were tech security consultants, etc. 

  4. Anonymous is getting like Al Qaida inasmuchas one doesn’t quite know which part is state-sponsored and what part isn’t.

    Is releasing Stratfor customers’ credit card details within the ethos of earlier Anonymous operations? I don’t believe so.

    Anonymity in such matters presents a conundrum: Cult of the anti-personality – v – letting in the agent provocateurs sponsored by corporations and corrupt government.

    One “Anonymous” clone on Twitter has been tweeting about porn they have been appreciating recently. That certainly sounds like a psy-op.

  5. Anonymous being, well, anonymous makes for a group that will naturally become unfocused about what it’s actually doing rather quickly. Easy bet that there’s splinter groups already, and I should have little doubt that some of them still call themselves “Anonymous”

  6. @Diogenes:twitter  In their defense, Stratfor wasn’t exactly a “computer/network security” company; they were a strategy forecasting company. They got hired to read tea leaves for governments and companies. 
    I’m pretty curious to know what the hell they did to piss off anon_finland that much. Their twitter feed said that the “incriminating evidence” is in an article on the Barron’s website, but it’s behind a paywall, and I haven’t gotten around to getting the article yet. 

  7. Of course, all those non-profits to whom anon (or whoever) so generously donated are going to be hit by a string of chargebacks, each one of which might also carry at $25+ fee (depending on their merchant bank). In extreme cases, it might screw up the non-profit’s ability to accept credit cards. What a lovely Christmas present to give them!

      1. Assuming 10 year olds can get access to a pile of valid credit card numbers and expiration dates, they certainly can.

  8. “The scary thing is that  ….. Jerry Irvine is in charge of Cyber Security, what a colossally effing idiot!  Is Irvine related to Friedman, by any chance?

    And is George Friedman, the CEO of that douchebagging operation, Stratfor, employer or more low-IQ types than any other douchebagger outfit, related to Thomas Friedman, douchebagger extraordinaire?  Or Jaclyn Friedman, anti-Wikileaks whiner and trashy girl for the (Rockefeller/Kissinger/Perle) Perseus LLC/Perseus Books?  Or Stephen Friedman (Goldman Sachs, Marsh & Mclennan during 9/11/01 attacks, and a government intel board member on every board over the past 20 years), and had to resign as chair of the NY Fed Reserve due to insider trading, ‘natch?

    From that client list, amost every Rockefeller company (AT&T, JPMorgan Chase, Exxon, etc., were on the list) — and I especially enjoyed Frist Capital, LLC — isn’t that Bill Frist’s private equity leveraged buyout pirate group?

  9. Having recently read _ Next Decade:  Where We’ve Been… and Where We’re Going_ by George Friedman, Stratfor doesn’t need hackers to embarrass themselves.  Friedman,  “the founder, chief intelligence officer, financial overseer, and CEO,” does fine all on his own.

Comments are closed.