Some more on the Stratfor/Anonymous hack – protecting user data

  • Article

Okay, this is my final post on the Stratfor/Anonymous hack.  Probably.

I’m a subscriber, and yesterday we all got a note from Stratfor founder George Friedman about the hack.  You can read it here if you so desire.  In it, he describes the motives for the attack:

The attackers thought that Stratfor was part of a global conspiracy, providing custom consulting for various parties – foreign governments and private corporations.  The reason they broke into Stratfor was to steal its emails which would presumably incriminate Stratfor as part of a villainous ring of deceit and nefarious plots (I’m embellishing in my summary).  However, when they saw that they could also get the credit card numbers of their clients, well, that was just the icing on the cake.  Part of a global conspiracy?  Well, we’ll just charge a bunch of donations to a charity (why Anonymous would do this is bizarre because most credit cards have fraud prevention and ways to reverse fraudulent charges, even if they are to charitable organizations.  Did they think they would get away with it?).

But more relevant to this blog, Stratfor failed to protect their customers’ credit card information:

Attacks against credit cards are common, our own failures notwithstanding. So are the thefts of emails. But the deliberate attack on our digital existence was a different order of magnitude. As the global media marveled at our failure to encrypt credit card information, my attention was focused on trying to understand why anyone would want to try to silence us.

This is a really big mess-up!   Of course they marveled at that failure!If Neil Schwartman were reading this, he’d be spinning in his grave!*

I have written about this before.  Microsoft has a good model for protecting users’ data.  We classify data into low business intelligence (LBI), medium business intelligence (MBI) and high business intelligence (HBI). Information that is HBI must be encrypted and there are strict guidelines over who has access and how the data must be stored. HBI would be customer’s financial information.   The full definitions:

  • HBI – Authentication and authorization credentials, government provisioned ID (Social Security or driver’s licenses), financial profiles (credit reports), medical profiles (medical records or biometric information). HBI must be encrypted while in transit and while stored and not in use.

  • MBI – Personally identifiable information that is not as sensitive as HBI. Examples are an individual’s race, ethnic origin, political orientation, physical health. This also includes contact information such as a name, address, email address, fax, etc. MBI must be encrypted while in transit. It does not have to be encrypted while stored and not in use. Encryption must be at least 128 bit.

  • LBI – These are typically intended to be widely published information like web pages, public cryptographic keys, and press releases. LBI does not need to be encrypted.

I know people like to blah, blah, blah regarding Microsoft and how it is a slow behemoth, but we’re really far ahead on defining processes on how to protect user privacy.  That is something that the rest of the software world should adopt.  Had Stratfor done so, then their users’ credit card information would have been protected.  This is not fool-proof, but it would have helped.

* I use this phrase in jest as Neil Schwartzman is a strong advocate for protecting user privacy.  I wonder if he’s reading this right now?