Stratfor: We actually got hacked twice

First was in November but we kept that one quiet.

Hacked security intelligence company Stratfor's CEO George Friedman has admitted knowing that customers' credit cards were compromised a month before a breach was disclosed.

In an update as the company relaunched its website, Friedman conceded Stratfor had actually been hacked twice.

He said credit card companies were informed of the compromised card numbers after the first breach, but that Stratfor held back on disclosing the breach to customers to protect an FBI investigation.

"In early December I received a call from Fred Burton, Stratfor's vice president of intelligence. He told me he had received information indicating our website had been hacked and our customer credit card and other information had been stolen," wrote Friedman

The Stratfor breaches have affected hundreds of thousands of government and corporate subscribers across the globe, including about 20,000 Australians.

The breach became public in late December after hackers, purportedly aligned with the Anonymous movement, dumped Stratfor's customer email addresses and credit card details on Pastebin, prompting an email alert from Friedman to Statfor's customer database.

Stratfor failed to encrypt the credit card details, allowing them to be published in full, which appeared at the time to present a serious financial risk to subscribers.

But Friedman, at the Wednesday relaunch of Stratfor's site (which is now backed by DDoS-protection content distribution service CloudFlare) said the data dump that led to its disclosure occurred closer to the time of a second, more devastating attack. 

Until that point, Stratfor had kept the breach under wraps so as not to disrupt an ongoing FBI investigation.

"From the beginning I faced a dilemma," wrote Friedman in a lengthy justification and apology.

"I felt bound to protect our customers, who quickly had to be informed about the compromise of their privacy. I also felt bound to protect the investigation." 

Unbeknownst to victims, the FBI had already supplied card companies a list of compromised accounts, without revealing the source.

"Our customers were therefore protected, as the credit card companies knew the credit cards and other information had been stolen and could act to protect the customers. We were not compelled to undermine the investigation," said Friedman.

But any benefit in silence ended after December 24 when the hackers returned, this time to destroy Stratfor's web server infrastructure, which blindsided the company midway through efforts to beef up security.

"Early in the afternoon of Dec. 24, I was informed that our website had been hacked again," explained Friedman.

"The hackers published a triumphant note on our homepage saying that credit card information had been stolen, that a large amount of email had been taken, and that four of our servers had been effectively destroyed along with data and backups." 

He depicted the act as an attempt to censor the company and expressed surprise that the attackers might seek anything other than credit card details.

"This is a new censorship that doesn't come openly from governments but from people hiding behind masks," he said. 

Given previous attacks on government security contractors such as HB Gary, that hackers might steal internal documents arguably should not have surprised the intelligence company. But apparently it did.   

"Obviously, we were not happy to see our emails taken. God knows what a hundred employees writing endless emails might say that is embarrassing, stupid or subject to misinterpretation," wrote Friedman, adding that the real shock was that they also destroyed the company's servers.

"We had expected they would announce the credit card theft. We were dismayed that emails had been taken. But our shock was at the destruction of our servers. This attack was clearly designed to silence us by destroying our records and the website, unlike most attacks by such groups." 

Friedman has released a video of the company's explanation.