Ok, here's my theory on this incident.
This was a live honeypot.
It was implemented to try to catch and shutdown high visibility hacker organizations and the real hackers that operate in them and not just the children who think they are hackers and play along or pretend they belong.
In security, a honeypot is a trap for spammers, hackers, and other malicious activities.
The premise is simple - place a visible point of access to a known entity where it can receive attention. However, if it is accessed illegally the data found is fictitious and sometimes tagged for tracking. This has been a counteraction against spammers and hackers for years. The best/worst hackers know this, some of whom helped develop the processes used in them.
To determine if you have stumbled into a trap or a treasure trove, you need a point man to make the first access, grab information, and determine if the data is legit or bogus. In this incident, Stratfor was actually hacked two weeks before and a point man verified the data and passed that over to the hacker group.
If you look at the aftermath of this incident, unlike many hacks in the past, several key players were arrested and at least one group was effectively shut down.
Now, we have seen poor security before and have seen the results of that poor security result in high profile hacks. Hackers find a few vulnerabilities or socially engineer access to key accounts or physically gain access to a system that has access to the internal network they want into.
This hack is different in one key way: It had every door wide open; every level of security was absent or compromised in ways that have been exposed and detailed for many years. Every basic security course teaches these failures and experienced IT professionals are well aware of them.
How could ANY global, high visibility intelligence provider who uses a payment system for subscription to their services fail on every level?
The system that governs credit card purchasing has 12 primary security processes of which Stratfor only implemented 3. Typically a review of any given implementation may find errors in one or two of these processes but not a complete absence of NINE of them. This is negligence in the extreme and would require an improbable level of ignorance or outright criminal behavior.
In the case of the Target Department Store hack, the CIO was not originally an IT professional but rather a corporate executive who was moved into the CIO position. Can executives make good decisions in fields they are not necessarily experts in? Sure, but in IT it's doubtful. I have been in IT for 35 years and I can tell you it's improbable. This is why a have HUGE problem with businesses moving their IT organizations under the CFO and eliminating the CIO position. CFOs might be awesome with numbers and accounting systems but that's a high level system that rides on top of a very dynamic and complex foundation of technology. This is why so many companies now are 3 to 10 years behind in their tech implementations and are vulnerable to the most basic of attacks.
The Stratfor CIO has been in technology for years. Here's an excerpt of his bio:...spent 20 years in IT leadership roles at a variety of major firms, including The Weather Channel, Circuit City, Delta Airlines, and Electronic Data Systems where he developed robust e-commerce and interactive web strategies as well as led the implementation of state-of-the art information technology systems...
He knows what is required.
Let's look at the aftermath of this hack. Higher level hackers arrested, hacking organizations penetrated or shutdown, minimal lawsuit damages. Hmmm... sounds like a live honeypot to me.
Those who lost money or had their accounts compromised were reimbursed and probably given support to clear up ID compromises and issues. Was it ethical to use live bait? Did the hacking victims know before hand? To make this look tempting and not expose the trap or the processes used in the trap, a class action lawsuit was used to "force" repayment of losses and damages. This keeps everything looking like a real hack and not a real trap. The victims may have signed NDAs to protect the processes used in this incident.
Until businesses and organizations stop using obsolete and inadequate systems and philosophies, cybercrime will continue. The methods used to find, track, and capture cybercriminals will change to try to stay a half a step ahead.
If I'm wrong, this is the single most negligent, ignorant, criminal corporate failure in the history of mankind. Yet, the lawsuit damages were only 1.5 million? The company is still in business? No corporate executives went to jail?
Yeah, right. Sure.