- The Washington Times - Thursday, December 29, 2011

Security analysts are bracing for the release of millions of emails that computer hackers stole from a U.S. intelligence-analysis firm whose clients include federal agencies, large corporations and foreign countries.

The emails could reveal sensitive material to foreign spy agencies and corporate rivals about Stratfor’s clients, which include employees of the Pentagon, Bank of America and the Austrian armed forces, among others.

The hackers, identifying themselves as part of the collective “Anonymous,” warn they will soon release more than 3.3 million emails and information about Stratfor’s website subscribers. They already have released names, website logins, passwords and credit card information for more than 50,000 subscribers whose names begin with A through M, and promise the release of N through Z.

“The repercussions from the Stratfor emails could be as far reaching as the WikiLeaks release of 250,000 State Department cables,” said cybersecurity expert Richard Stiennon, who blogs at ThreatChaos.com.

In addition, the emails can be used to reveal identities and secret assignments, he said. “If a general or colonel has a secret responsibility, these could reveal that person’s job and responsibility or particular project.”

An unofficial spokesman for the hackers, Barrett Brown, solicited volunteers online Tuesday, posting that 3.3 million “emails between some of the most powerful men in the world are about to be released.”

“Please prepare to help search through them.”

During an online chat late Wednesday, he said the emails would be released within the next day or two.

A Stratfor spokesman said Thursday the company is aware of the hackers’ claims, which it could not verify. He said Stratfor is conducting an internal investigation with law enforcement agencies, including the FBI.

The Department of Homeland Security and the FBI did not respond to calls for comment.

A data- and identity-theft prevention expert criticized Stratfor’s lack of proper security measures.

“From what we can tell, the credit card numbers and credit card verification numbers were not encrypted. That’s no good,” said Aaron Titus, privacy officer at Identity Finder. “That’s definitely against the rules.”

The subscribers’ passwords were encrypted, but about 50 percent of them were cracked, Mr. Titus said. If subscribers are using those same logins and passwords for other websites, other personal information could be at risk.

Stratfor was hacked earlier this week, but the hackers’ first data dump could still be found online.

One of the subscribers listed is Houston police Officer Jay Chase, whose wife, Valerie, was disturbed when she heard his information was posted online.

In a Dec. 26 statement, the hackers promised to “expropriate” more than $500,000 from the company’s “bigshot clients,” posting: “You didn’t think we’d let 2011 end without a BANG, did you?”

“We’re not one of those people,” said Mrs. Chase, a middle-school teacher. “It’s not us. We were hit hard with the economy.”

Cybersecurity experts see no end in sight to these kinds of attacks.

“2011 has been the year of the breach,” Mr. Titus said. “One thing I hope is that companies understand from this, you need to get rid of information that you don’t need.

“Sensitive information is a liability, not an asset. If you absolutely must keep it, encrypt it securely, and get rid of anything unnecessary.”