In one of the best-publicized instances of hacking in recent years, “hacktivists” compromised not only Stratfor’s company and proprietary information, but also the personal information of hundreds of thousands of individual clients and subscribers.
Strategic Forecasting, Inc., commonly known as Stratfor, is a private firm that provides governments and others with independent geopolitical intelligence analysis. Founded in 1996 in Austin, Texas, Stratfor publishes daily intelligence briefings for paying subscribers as well as modified analytical products for public consumption. The company says that it “uses a unique, intelligence-based approach to gathering information via rigorous open-source monitoring and a global network of human sources.” That information is then evaluated by its analysts who “make the complexity of the world understandable to an intelligent readership, without ideology, agenda, or national bias.”
The group that targeted Stratfor calls itself “Anonymous”. Anonymous is widely acknowledged as a “hacktivist” group with loosely associated members who share a common interest in opposing internet censorship and surveillance. Some people have lauded Anonymous as an internet liberator, while others have condemned the group as a cyber-vigilante that wreaks havoc indiscriminately.
As Chuck Davis, Corporate Faculty at Harrisburg University of Science and Technology, explained, “Hacktivist groups, such as Anonymous, certainly can cause some problems when they post sensitive or private information about real people to the Internet. …When an organization is hacked by a Hacktivist group, the goal is usually to embarrass or expose the [target] organization for not properly protecting customers’ data. Hacktivists are more interested in protesting or targeting organizations that go against their beliefs. While some of their actions are illegal, their target is usually an organization and not the general public.”
Sometimes referred to as “the Shadow CIA”, Stratfor maintained an extensive and confidential list of subscribers. Anonymous hackers allegedly hacked into its systems on Christmas Eve of 2011. Documents issued by the Southern District of the New York U.S. Attorney’s Office indicate that hackers stole confidential information, including Stratfor employees’ emails and the account information of approximately 860,000 Stratfor subscribers and clients. These subscribers and clients included Fortune 500 companies, international government agencies, and private clients. Anonymous made their account information public, which caused significant embarrassment and reputational damage to a company that prides itself on operating with extreme discretion and reliability.
But Anonymous went a step further by exploiting data stolen from approximately 60,000 credit card subscribers. The hackers claim to have used this data to make unauthorized charges, ranging from a reported $750,000 to in excess of one million dollars, and directed the proceeds to various charitable organizations. In a follow-on to the 2011 hacking incident, Wikileaks published in early 2012 what it claims are over 5 million emails from the company that were obtained by Anonymous hackers.
Mike Wright, an information assurance subject-matter expert and independent consultant, gave a comprehensive assessment of how a hack of this magnitude could have far reaching implications for the targeted institution: “If the company had been found negligent in protecting its personal and private information [it] could be financially liable even more than what is being considered in the class action suit. If the company was bound by any compliancy regulations regarding the protection of that data, [it] could be fined as well. The implications of a hack of this nature go the full spectrum from possibly ruining companies, and the lives of the individuals affected, to nothing happening at all other than the company having to deal the fact that [it has] been hacked.”
Beyond the consequences facing an institution that has been hacked are the repercussions on the individuals whose information has been compromised. Private investigator Shannon Tulloss works frequently with victims of identity theft and reports that, “in 2011, the average identity theft victim spent 12 hours of time and $354.00 out of pocket expense resolving the issue with all of the associated parties and institutions,” but those costs are borne only when individuals actually discover that they have been victimized. The unfortunate (and perhaps unintended) victim of these crimes is often the “little guy” whose interests the hacktivists often claim to be representing.
In many cases, fraudulent transactions are quite small but numerous. The withdrawals from, or charges to compromised accounts may be so minor that many people overlook them on their statements. As Wright says, “Consider if a hacker compromises 1000 credit card numbers and sets up a repeating payment of $19.95 each month on each of those cards. At the end of the year, the hacker has collected over a quarter of a million dollars.” Small deductions taken from large numbers of targets are often more lucrative for hackers than a large amount extracted from a single target.
Successful prosecution of such high-profile cases could have broader implications. First, it would send a clear signal that hacking is no longer viewed as a petty crime but something more serious and that carries severe punishment. Secondly, law enforcement officials would see that their efforts to track down cyber criminals are not in vain. On the other hand, if cyber criminals are not fully prosecuted law enforcement agencies may naturally reevaluate the level of resources they are going to expend on pursuing them.
Because e-commerce has become so deeply entrenched in the global economy, it is necessary to think differently about the breadth of its vulnerabilities. A crime against a single target has the potential to affect hundreds of thousands of individuals over vast geographic areas (and jurisdictions). Since so much of today’s commerce is linked to the global marketplace, directly or indirectly, Tulloss sagely warns that “should any entity that we choose to partner with in business find that they have been hacked, everyone involved needs to immediately think about how they can protect themselves not just locally, but internationally.”
Davis offers a broader assessment of the potential impacts of cyber threats when he posits “we are on the precipice of an age where wars are waged in the digital world rather than the physical. Digital warfare is already here. Stuxnet is the perfect example. Nation states writing malicious software to attack the systems that run critical infrastructure is the digital equivalent to dropping bombs on power plants and airplane runways. Cybercrime has many different faces—hacktivism, identity theft, malicious mischief, and digital warfare—but the common denominator here is that this is all done using computers and [is intended] to cause harm to others.” Wright echoes this sentiment with the conclusion that “countries should work together when cybercrimes cross international boundaries, because we are a global community, and a hack in one location could eventually be felt worldwide.”
Whitney Grespin has worked in contingency contracting and international development on four continents. She currently specializes in security sector reform and capacity building.
This article was originally published in the Diplomatic Courier’s November/December 2012 print edition.