Confidential Client List Safe From Anonymous, Says Hacker Target

The magnitude of a Christmas Eve attack on Stratfor appears exaggerated by the data bandits.

The damage from a weekend data breach at a think tank on international security issues appears to have been inflated by the assault's perpetrators, the hacker collective known as Anonymous.

After Anonymous ransacked think tank Stratfor's computers and stole away thousands of credit card numbers and other personal information, it claimed to have also clipped the company's confidential client list. That list contains sensitive information about Stratfor's high profile clients, such as Apple, the U.S. Air Force, and the Miami Police Department.

However, Stratfor denies that Anonymous got the think tank's family jewels. "Contrary to this assertion the disclosure was merely a list of some of the members that have purchased our publications and does not comprise a list of individuals or entities that have a relationship with Stratfor beyond their purchase of our subscription-based publications," the firm says in an e-mail to its members dated December 25.

Stratfor adds that it had hired an identity theft and monitoring service to assist its members affected by the data breach. Further details on those services will be released to affected members later this week, it says.

On Monday morning, Stratfor's website was offline. Visitors to the location are being greeted to an "undergoing maintenance" screen.

So far, two lists of credit card details have been published to the Internet by Anonymous members, one containing 3956 items, the other with 13,191 items. Some of those numbers have apparently been used to donate large sums of money to charitable organizations such as the American Red Cross and CARE.

While to some it may appear that Anonymous is acting as an Information Age Robin Hood, it may not be doing anyone any favors by ringing up unauthorized charges on other people's credit cards. "These donations will never reach the ones in need," writes security guru Mikko Hypponen at F-Secure. "In fact, these actions will just end up hurting the charities, not helping them."

"When credit card owners see unauthorized charges on their cards, they will report them to their bank or credit card company," he explains. "Credit card companies will do a chargeback to the charities, which will have to return the money. In some cases, charities could be hit with penalties. At the very least, they will lose time and money in handling chargebacks."

The Anonymous attack on Stratfor was made murkier by a disclaimer posted on the Internet saying the group isn't responsible for the action. In an "Emergency Christmas Anonymous Press Release" the Stratfor foray was rapped by parties claiming to represent the collective. They assert that Stratfor is being falsely characterized as another HBGary Federal, a contractor accused of developing dirty tricks schemes for the military. A cyber assault on HBGary Federal earlier this year resulted in its CEO, Aaron Barr, resigning.

"Sabu and his crew are nothing more than opportunistic attention whores who are possibly agent provocateurs," they declare, referring to a well-known Anonymous member.

"As a media source, Stratfor's work is protected by the freedom of press, a principle which Anonymous values greatly," they add.

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.

Copyright © 2011 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)