Austin-based Stratfor faces lawsuit over data breach

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.statesman.com/business/technology/austin-based-stratfor-faces-lawsuit-over-data-breach-2139417.html

Austin-based Stratfor, which lost information on thousands of its customers
in computer hacking attacks against its website in December, now finds
itself under legal fire.

Stratfor this week responded in a Texas court to a federal class action
suit filed against it in New York.

The suit seeks more than $50 million in damages on behalf of customers
whose personal and credit card information was lost in the hacking
incidents of Dec. 7 and Dec. 24.

Credit for the attacks was claimed by the loose hacking community
Anonymous. Some credit card information was used to make donations to
various nonprofit groups, including the Red Cross.

Stratfor is a well-known publisher of international geopolitical analysis.
Its thousands of customers and users included employees of various U.S.
Intelligence and law enforcement agencies as well as the military.

The New York lawsuit, filed by David Sterling of Woodbury, N.Y., accuses
Stratfor and its management of negligence, breach of contract and violation
of the federal Stored Communications Act in allowing its customers'
information to be stolen and in not notifying customers about the theft for
more than two weeks after it occurred.

The suit claims that personal information for about 75,000 customers was
lost in the hacking attack, as well as information on 90,000 credit card
accounts and 5.2 million email messages.

The suit says Stratfor failed "to take reasonable steps to secure" its
computer systems from outside attack. It also says Stratfor kept
information about the hacking attack secret from its customers.

In its countersuit, Stratfor argues that Texas, not New York, is the proper
venue for such a suit and seeks a declaratory judgment that it owes the
plaintiff no more than $349, which was the amount it says he paid for
Stratfor's service.

In a written statement, Stratfor said Tuesday that it "believes the
class-action lawsuit is without merit. Stratfor looks forward to telling
its side of the story, at the appropriate time and place. The countersuit
filed Monday is intended to ensure the issues are heard in the appropriate
place — Texas, where Stratfor is headquartered and where the hack occurred."

The company, which is led by CEO George Friedman, said in its filing that
it has been working with the FBI since the Dec. 7 attack and that it has
hired security consultants to investigate the attack and prevent others on
its site.

The company said that it made sure, immediately after the Dec. 7 attack,
that all credit card companies were notified by the FBI with the credit
card numbers and subscriber names for all compromised credit cards.

When the hacking became public on Dec. 24, the company notified subscribers
on Dec. 24, 25 and 28, it said in the suit.

On Dec. 28, the company offered, at its expense, for its customers to
receive services from CSID, an Austin-based identity protection company.

_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/