It looks like I won't be stopping coverage of Stratfor any time soon. According to statesman.com, Stratfor -- the international geopolitical analysis company that was hacked by Anonymous about one month ago -- has been presented with a lawsuit for more than $50 million. This is independent of whatever fines Startfor will pay for violating PCI-DSS requirements, if any. Is it possible that just a dab of data encryption and common sense could have prevented all of this?
From the statesman.com: The New York lawsuit, filed by David Sterling of Woodbury, N.Y., accuses Stratfor and its management of negligence, breach of contract and violation of the federal Stored Communications Act in allowing its customers' information to be stolen and in not notifying customers about the theft for more than two weeks after it occurred. The suit says Stratfor failed "to take reasonable steps to secure" its computer systems from outside attack. It also says Stratfor kept information about the hacking attack secret from its customers. I've covered the Stratfor situation here, here, and here. In summary: Starfor didn't encrypt client information, and it turns out that passwords were not salted. Is this enough for a charge of negligence? I'm not a judge, so what I think doesn't matter, but here are my two cents: it's not negligence. But it comes pretty close. You see, that encryption software protects data is not a big secret. Likewise when it comes to protecting credit card information: there are industry rules -- and I mean rules, not guidelines -- that require credit card info to be encrypted if stored. Another not-so-big secret. Plus, the entire hash-salting fiasco: salting passwords before hashing them is established practice, and has been for decades. This is an intelligence firm, dealing with defense personnel all over the world. Are we to believe that they had no idea that encrypting information was important? Of course, the use of cryptographic solutions does not guarantee 100% that Anonymous wouldn't have laid their mitts on the information that was breached. But let me tell you, accusations of negligence are less likely to hold sway if encryption was used.
From the statesman.com:
The New York lawsuit, filed by David Sterling of Woodbury, N.Y., accuses Stratfor and its management of negligence, breach of contract and violation of the federal Stored Communications Act in allowing its customers' information to be stolen and in not notifying customers about the theft for more than two weeks after it occurred. The suit says Stratfor failed "to take reasonable steps to secure" its computer systems from outside attack. It also says Stratfor kept information about the hacking attack secret from its customers.
The New York lawsuit, filed by David Sterling of Woodbury, N.Y., accuses Stratfor and its management of negligence, breach of contract and violation of the federal Stored Communications Act in allowing its customers' information to be stolen and in not notifying customers about the theft for more than two weeks after it occurred.
The suit says Stratfor failed "to take reasonable steps to secure" its computer systems from outside attack. It also says Stratfor kept information about the hacking attack secret from its customers.
I've covered the Stratfor situation here, here, and here. In summary: Starfor didn't encrypt client information, and it turns out that passwords were not salted.
Is this enough for a charge of negligence? I'm not a judge, so what I think doesn't matter, but here are my two cents: it's not negligence. But it comes pretty close.
You see, that encryption software protects data is not a big secret. Likewise when it comes to protecting credit card information: there are industry rules -- and I mean rules, not guidelines -- that require credit card info to be encrypted if stored. Another not-so-big secret. Plus, the entire hash-salting fiasco: salting passwords before hashing them is established practice, and has been for decades.
This is an intelligence firm, dealing with defense personnel all over the world. Are we to believe that they had no idea that encrypting information was important?
Of course, the use of cryptographic solutions does not guarantee 100% that Anonymous wouldn't have laid their mitts on the information that was breached. But let me tell you, accusations of negligence are less likely to hold sway if encryption was used.
Related Articles and Sites:http://www.statesman.com/business/technology/austin-based-stratfor-faces-lawsuit-over-data-breach-2139417.html