LONDON (CBSMiami/AP) – A group of hackers dubbed “Anonymous” claims to have stolen private information, including credit card numbers, from a number of groups including the Miami Police Department, the U.S. Air Force and Apple Inc. after they reportedly breached Stratfor, a U.S. security think tank.
One hacker said the goal was to pilfer funds from individuals’ accounts to give away as Christmas donations, and some victims confirmed unauthorized transactions linked to their credit cards.
Anonymous boasted of stealing Stratfor’s confidential client list and mining it for more than 4,000 credit card numbers, passwords and home addresses.
Miami Police Department spokesman Sgt. Freddie Cruz Jr. said that he could not confirm that the agency was a client of Stratfor, and he said he had not received any information about a security breach involving the police department.
Austin, Texas-based Stratfor provides political, economic and military analysis to help clients reduce risk. The company’s main website was down, with a banner saying the “site is currently undergoing maintenance.” Proprietary information about the companies and government agencies that subscribe to Stratfor’s newsletters did not appear to be at any significant risk, however, with the main threat posed to individual employees who had subscribed.
“Not so private and secret anymore?” Anonymous taunted in a message on Twitter, promising that the attack on Stratfor was just the beginning of a Christmas-inspired assault on a long list of targets.
Anonymous said the client list it had already posted was a small slice of the 200 gigabytes worth of plunder it stole from Stratfor and promised more leaks. It said it was able to get the credit card details in part because Stratfor didn’t bother encrypting them which, if true, would be a major embarrassment for any security-related company.
Fred Burton, Stratfor’s vice president of intelligence, said the company had reported the intrusion to law enforcement and was working with them on the investigation.
The attack is “just another in a massive string of breaches we’ve seen this year and in years past,” said Josh Shaul, chief technology officer of Application Security Inc., a New York-based provider of database security software.
Still, companies that shared secret information with Stratfor in order to obtain threat assessments might worry that the information is among the 200 gigabytes of data that Anonymous claims to have stolen, he said.
“If an attacker is walking away with that much email, there might be some very juicy bits of information that they have,” Shaul said.
Lt. Col. John Dorrian, public affairs officer for the Air Force, said that “for obvious reasons” the Air Force doesn’t discuss specific vulnerabilities, threats or responses to them.
“The Air Force will continue to monitor the situation and, as always, take appropriate action as necessary to protect Air Force networks and information,” he said in an email.
Anonymous also linked to images online that it suggested were receipts for charitable donations made by the group manipulating the credit card data it stole.
“Thank you! Defense Intelligence Agency,” read the text above one image that appeared to show a transaction summary indicating that an agency employee’s information was used to donate $250 to a non-profit.
One receipt — to the American Red Cross — had Allen Barr’s name on it.
Barr, of Austin, Texas, recently retired from the Texas Department of Banking and said he discovered last Friday that a total of $700 had been spent from his account. Barr, who has spent more than a decade dealing with cybercrime at banks, said five transactions were made in total.
“It was all charities, the Red Cross, CARE, Save the Children. So when the credit card company called my wife she wasn’t sure whether I was just donating,” said Barr, who wasn’t aware until a reporter with the AP called that his information had been compromised when Stratfor’s computers were hacked.
“It made me feel terrible. It made my wife feel terrible. We had to close the account.”
Stratfor said in an email to members, which was passed along to the Associated Press, that it had hired a “leading identity theft protection and monitoring service” on behalf of the Stratfor members affected by the attack.
The company said it will send another email on services for affected members by Wednesday.
(TM and © Copyright 2011 CBS Radio Inc. and its relevant subsidiaries. CBS RADIO and EYE Logo TM and Copyright 2010 CBS Broadcasting Inc. Used under license. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report.)