StratFor subscriber base posted to the web

Hackers have published the credit card details for the complete subscriber base of security intelligence firm StratFor on the open web, as well as the usernames and passwords of around half a million corporate and government customers.

Earlier this week the loose-knit Anonymous group had already posted close to 50,000 credit card details over the Christmas period after gaining access to StratFor’s servers.

Today the group released the full list of credit card details, plus what it claimed were 860,000 registration (username and password) details.

Closer analysis of the data reveals that many entries are duplicated once or twice in the database, making it difficult to analyse the true number of victims.

Regardless, the StratFor hack represents one of the single largest security headaches for Australia's corporate and government sectors.

The full registration list includes entries for just about every State and Federal agency in Australian government, including:

• Over 20,000 users with Australian (.au) email addresses
• Close to 3800 user registrations from Australian Government email accounts (from .gov.au domains)
• Over 600 email addresses from the Australian Department of Defence
• Over 400 from the Australian Federal Police (AFP)
• Over 400 from the Department of Foreign Affairs and Trade
• Over 100 from the Attorney-General’s Department
• Over 50 from Australia’s Department of Prime Minister and Cabinet
• Dozens of officers from Victoria, NSW, Queensland and West Australian Police, among others.

(NB – at least one in three were duplicate entries.)

Australia’s corporate sector didn’t get off lightly, with users from 15,000 .com.au addresses (not filtered for duplicates) exposed, particularly in the banking, insurance, superannuation, mining and energy sectors.

Victims included employee accounts from:

ActewAGL, Alcoa, Allens Arthur Robinson, Allianz, AMP, The Australian Stock Exchange, AXA, the Bank of South Australia, BankWest, BHP Billiton, Boral, CGU, Challenger, Coles Myer, Colonial First State, The Commonwealth Bank, Fairfax, HSBC Australia, ING Direct, Inpex, Insurance Australia Group, Investec, Lend Lease, Macquarie Bank, Mirvac, MLC, National Australia Bank, Newcastle Permanent, Newcrest Mining, News Limited, NRMA, Origin Energy, Perpetual Private Wealth, Qantas, Rio Tinto, SA Water, Southcorp, Suncorp, Sun Super, Star Track Express, Sunrice, Sydney Water, Tabcorp, Telstra, Virgin Blue, Water Corporation, Westpac, Woodside Energy and more.

There were also 2500 addresses from Australian academics exposed (unflitered for duplicates), as well as a large number of private users.

Not quite a Robin Hood exercise

The hackers behind the massive data breach had attempted to use some of the compromised credit card details to donate funds to various charities, but the ‘Robin Hood’ strategy appears to have backfired.

One of the recipients of donations has asked that the hackers cease the practice, as charge back fees for fraudulent transactions come at a cost to the recipient.

The Appropriate Infrastructure Development Group (AIDG) has called for the hackers to not donate money to the charity using stolen credit card accounts, telling supporters on Twitter that “we get hit $35 per fraud[ulent] transaction” in charge back fees.