LulzXmas Stratfor hack exposes British defence staff

Hackers who breached the systems of strategic intelligence firm Stratfor over Christmas and posted the personal details of more than 850,000 users online have also exposed the details of British and NATO defence staff, it has been revealed.

The LulzXmas campaign was launched on Christmas Eve and is believed to have been carried out by members of hacktivist group Anonymous.

The usernames, email addresses and other details of 850,000 customers were posted to Pastebin by the hackers, while more than 70,000 credit card details were also exposed.

However, the Observer reported on Sunday that the details of 221 British military officials and 242 NATO staff were also included in the data dump, including information on key staff working for the Cabinet Office and advisers to the Joint Intelligence Organisation.

Cyber warfare expert John Bumgarner, who is chief technology officer at the US Cyber Consequences Unit, confirmed to the newspaper that some of those hit by the hack are indeed British defence and intelligence officials who work in sensitive areas.

According to the report, the encrypted passwords that were stolen could easily be broken by off-the-shelf software, although officials tried to downplay the seriousness of the incident by claiming that any passwords for communication within Whitehall would be different from those stolen.

Graeme Batsman, ethical hacker and director of security provider Data Defender, argued that Stratfor failed its customers by not encrypting documents, not isolating data and by putting sensitive data onto a web server.

He explained that sensitive data should never be put on a forward pointing web server and should be "encrypted on a document by document basis to stop other internal company departments viewing or pinching data".

He also recommended roles-based access to reduce the number of staff who can view sensitive data, and to limit its exposure in other ways by giving employees two computers.

"One is for basic email and internet browsing which is linked to a server with internet access," he said.

"Desktop number two is connected to a server with no outside access. All sensitive data should be stored on the network with the isolated server."

This latest attack suggests Anonymous is ramping up its activities for 2012 after a relatively quiet few months.

Last week, members of the online collective claimed to have hacked the web site of Sony Pictures in likely retaliation for the electronics giant's support for the controversial Stop Online Piracy Act (Sopa).

In the same week, the group launched the OpBlitzkrieg campaign aimed at disrupting the operations of several neo-Nazi web sites.