STRATFOR: The Mid-Term IR Grade is a D-

Posted on 16 January 2012 by


STRATFOR is back online, and is offering its content free for the time being. After personally staying quiet for some time after the hack, STRATFOR CEO George Friedman wrote a note and made a video appearance in which he described what happened and provided some analysis.

I’ll come back to that in a minute, but let me say that the video was masterful. Had it only come ten days earlier it would have changed my reaction to their incident response to a B- from a D-  – and remember, we started by giving them a B-.

But it did not.

STRATFOR got in its own way. As is sadly too common in breach incidents, STRATFOR ran around repeatedly shooting itself in the head before wising up and moving towards, you know, openness. Ironically, this came from a company in the business of analyzing things and selling this insight.

First, it sounded imperious in its communications. Fred Burton, STRATFOR’s VP of intelligence, appeared in a video looking stilted (then again, he usually does) and talking about how they were getting me identity theft monitoring.

As you may know by now, an unauthorized party illegally obtained and disclosed personal information and related credit card data of some of our members. As a result, we have arranged for all Stratfor members to receive one year of free identity protection coverage from CSID, a leading provider of global identity protection.

Some of our users? Oh, Fred. This was clearly intended to scope downward the incident, to try not to look like such a punk (it failed).

And it was also, gallingly, intended to show magnanimity  (“Some of our members’ information was leaked, but all are receiving free monitoring!”). This would be great if the service they were offering us was good.

The service, in a word, sucks. It is among the lamest of the commercial identity theft protection services, operating (it would seem) on indexed search services and lame-a-rooni automated alerts. My kid could do a better job by setting up Google alerts and Pastelerts.

Rather than provide CSID with the numbers of the credit cards which STRATFOR lost for all of us, STRATFOR and CSID left it up to us to figure out just which of our credit cards STRATFOR managed to allow to get stolen. Even if we had wanted their advice, we couldn’t get it: STRATFOR remained offline, except to tell us that it was not sending email to us.

So we all had to trundle off to CSID and get a stupid username and password and then tell them which credit cards STRATFOR lost. In the second video, Fred tells us that he thanks us for his patience. He says that in the same way as the conductor on the G train in Brooklyn says it, when you’re broken down between stations in the sweltering heat. If by “patience” Fred meant, “suck it up, buttercup,” then he has a good point – that was in fact our only option.

As if all that weren’t frustrating enough, once CSID “discovered” my credit card numbers had been compromised (something I knew well before STRATFOR had even started communicating initially), it gave me generic advice to call my card company.

Gosh, thanks. This is a valuable service. On the other hand, a group of hackers and tag-alongs gave me the same news, and the same expert lack of help, but showed elan.

[Oh, don’t get your knickers in a twist: of course I abhor and condemn the illegal acts these guys have committed, and I would personally be overjoyed were they ever to be brought to justice. But I tell ya, here in Texas, it’s illegal to leave your car running when you go into a store precisely because the law here recognizes that, even if someone does steal your car, you should be charged with felony-grade stupid for giving them the keys. That, ladies and gentlemen, and Fred and George, was an analogy.]

Subsequently, during multiple attempts by people to use my publicly disseminated card numbers on a range of sites, I was never again emailed by CSID, which apparently was pleased with the work it hadn’t done to date and felt it didn’t have to do any more nothing. Instead, I counted on excellent vendors like Amazon and Pay Pal to use their outstanding anti-fraud services to protect me. These companies and others proactively stopped people from using my card numbers. And they told me about it.

STRATFOR? Not a peep.

Then a group put out a note in which they targeted me and PLI specifically – that’s not necessarily STRATFOR’s fault….Wait a minute, yes it is: had they conducted themselves with even the most elementary concern for security my credentials (they were throwaway) and information would not have been breached to begin with. Basic, easy stuff.

Then came Friedman’s straightforward and honest summary of his behavior. He took responsibility for the breach and the actions which led to it. My favorite line in his article and video:

To our subscribers who have expressed such strong support, we express our deepest gratitude. To our critics, we assure you that nothing you have said about us represents a fraction of what we have said about ourselves.

To George, or whomever wrote that: nice one.

This, too, was really good:

We knew our reputation would be damaged by the revelation, all the more so because we had not encrypted the credit card files. This was a failure on our part. As the founder and CEO of Stratfor, I take responsibility for this failure, which has created hardship for customers and friends, and I deeply regret that it took place. The failure originated in the rapid growth of the company. As it grew, the management team and administrative processes didn’t grow with it. Again, I regret that this occurred and want to assure everyone that Stratfor is taking aggressive steps to deal with the problem and ensure that it doesn’t happen again.

He points out that this is by way of explanation and not excuse, and it’s good: this should serve as a model of the kinds of things to say when you’re breached.

What was not model was the timing. By the time this came out, two weeks had gone by, scores of thousands were inconvenienced.

He waited too damned long, and outside his words, his outsourcing of credit card processing and the rebuild of his web engine, his actions to help me, the customer, were far too minimal – in fact, they are unacceptable.

Overall, as an incident response from a company (let alone a company in the information analysis business)? A big, fat D-.

Things to do: 
In no particular order, in fact, last should go first.

Come out with the highest ranking person you can get as soon as you understand what happened. In STRATFOR’s case, this was very early – in fact, they admit, they knew before the Christmas Eve hack that things were stinking rotten in Denmark, and opted not to disclose.

Don’t over-promise or over-disclose, but don’t under-disclose. If you know that the personal information of hundreds of thousands got taken, say something. Move faster. And who did CSID sleep with to get this contract, because that was one massively stupid decision.

Don’t go quiet. Even if you’re pissed at Zappos today – and I am – you can’t accuse them of not getting the word out and working to stay reachable by email and on their website. They seem to be proactive, where STRATFOR seemed to be asleep at the stick. Because it was.

Don’t suck so much in the first place. STRATFOR failed at so many simple things it could and should have done to protect its customers. Everyone gets hacked, and of course, no one is safe from targeted, determined attackers. But to paraphrase Aaron Turner, if Fisher Price made a firewall, STRATFOR would have messed up installing it.