Stratfor, the intelligence consultancy targeted by a hacktivist group in a Christmas Eve attack, has brought its website back online Wednesday following a nearly three-week investigation into the scope of the breach of its systems.
We knew our reputation would be damaged by the revelation, all the more so because we had not encrypted the credit card files.
George Friedman, CEO, Stratfor
George Friedman, CEO of the Austin, Texas-based company, apologized to customers for the Stratfor breach and said the incident has prompted the company to improve security and outsource its payment processes to better protect customer data. Friedman said the company first learned its customer credit card data was stolen in early December when the FBI informed the company of the problem.
“We knew our reputation would be damaged by the revelation, all the more so because we had not encrypted the credit card files,” Friedman said in a blog post and video message on the company’s website. “We worked to improve our security infrastructure within the confines of time and the desire to protect the investigation by not letting the attackers know we knew of their intrusion.”
But Friedman explained that the hackers penetrated the website again in the Christmas Eve attack, publishing a message on the Stratfor homepage explaining that in addition to stealing credit card and email addresses, four of the company’s servers had been destroyed along with data and backups.
The pilfered information included Stratfor account credentials of about 850,000 individuals and the credit card numbers of about 75,000 paying subscribers. The sensitive information included credentials from 242 Nato staff members, 343 U.S. military personnel deployed in Afghanistan and Iraq, as well as former U.S. Vice President Dan Quayle and former U.S. Secretary of State Henry Kissinger. The stolen data belonged to subscribers of its reports, not engaged clients that the firm does customized work for, according to Friedman.
Friedman said he has searched for a reason why the company would be targeted. The hactivists, he said, had mischaracterized Stratford as a “hub of global conspiracy,” rather than a firm that provides non-ideological analysis of international affairs and security threats to a wide array of major corporations and local, state and federal agencies. The latest reports on the company website, which are free for a limited time, offer analyses on Syria, Iraq and Lithuania.
The company is offering to pay for an identity theft prevention service for affected customers. Meanwhile Stratfor’s email remains down and it is still waiting for all its archives to be restored. “Our failures have been reviewed and are being rectified,” Friedman said. “No security system is without flaws even if it is much better than Stratfor's was.”
A group claiming to be associated with Anonymous denied responsibility for the Stratfor breach. The stolen credit cards were used by the attackers to make sizable donations to various charities. The fraudulent charges were reversed.