Stratfor admits stolen credit cards were unencrypted

Powered by SC Magazine
 

But CEO says "the attempt to silence us failed".

Stratfor relaunched its website last night with its founder George Friedman acknowledging its security failures but remaining resilient.

In a lengthy statement, Friedman said credit card files had not been encrypted and the FBI advised stolen data would likely be published.

He said this was "a failure on our part" and that he deeply regretted it.

“The failure originated in the rapid growth of the company. As it grew, the management team and administrative processes didn't grow with it. Again, I regret that this occurred and want to assure everyone that Stratfor is taking aggressive steps to deal with the problem and ensure that it doesn't happen again,” he said.

“I was prepared for the revelation of the theft and the inevitable criticism and negative publicity. We worked to improve our security infrastructure within the confines of time and the desire to protect the investigation by not letting the attackers know that we knew of their intrusion."

"With the credit card information stolen, I assumed that the worst was done. I was wrong” he said.

This related to the second hacking on Christmas Eve, where attackers "published a triumphant note on our homepage saying that credit card information had been stolen, that a large amount of email had been taken, and that four of our servers had been effectively destroyed along with data and backups".

Friedman said he was most shocked about the destruction of servers adding that "this attack was clearly designed to silence us by destroying our records and the website, unlike most attacks by such groups".

He described the attack on the organisation's digital existence as "a different order of magnitude".

Friedman said that with archives set to be restored, email working again and failures "being rectified", the attempt to silence Stratfor failed.

“We deliberately shut down while we brought in outside consultants to rebuild our system from the ground up. The work isn't finished yet, but we can start delivering our analyses. The handling of credit cards is being handed to a third party with appropriate capability to protect privacy,” he said.

“We are fortunate that we have the financial resources and staff commitment to survive the attack. Others might not. We are now in a world in which anonymous judges, jurors and executioners can silence whom they want. Take a look at the list of organisations attacked. If the crushing attack on Stratfor is the new model, we will not be the last. No security system is without flaws even if it is much better than Stratfor's was.”

He concluded by saying that he expects Stratfor to be attacked again, as it was when emails were sent out to members from a fake Stratfor address, but it will continue to publish analysis and sell it to those who believe it has value.

He said: “To our subscribers who have expressed such strong support, we express our deepest gratitude. To our critics, we assure you that nothing you have said about us represents a fraction of what we have said about ourselves.

“To all, I dedicate myself to denying our attackers the prize they wanted. We are returning to the work we love, dedicated to correcting our mistakes and becoming better than ever in analysing and forecasting how the world works.”

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition


Stratfor admits stolen credit cards were unencrypted
 
 
 
Top Stories
ATO shaves $4m off IT contractor panel
Reform cuts admin burden, introduces KPIs.
 
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  13%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  25%
TOTAL VOTES: 438

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  54%
 
No
  46%
TOTAL VOTES: 210

Vote