In another great example of What Not To Do, the intelligence firm Strategic Forecasting, Inc, apparently made no attempt whatsoever to comply with PCI DSS.
Antisec breached Stratfor’s networks several weeks ago, according to sources within the group that attacked the firm. On Saturday, Antisec began posting credit card details of a few Stratfor customers on Internet Relay Chat. But that’s just the start of a much larger data dump, the group claims. Anonymous is planning to release much more information—up to 200GB worth, in parts throughout the week leading up to New Year’s Eve. That trove allegedly includes 860,000 usernames, e-mails, and md5-hashed passwords; data from 75,000 credit cards, including security codes used for no-card-present transactions; and over 2.5 million Stratfor e-mails, internal Stratfor documents from the company’s intranet, and support tickets from it.stratfor.com.
According to Antisec, Stratfor was using the e-commerce suite Ubercart to handle customer information. The software has built-in encryption, but Stratfor apparently used custom modules that stored customer data in cleartext. Additionally, Stratfor appears to have stored the card security code of its customers, a practice generally prohibited by credit card companies.
So they stored the security code, stored the entire unencrypted credit card number, used plain-jane md5-hashed passwords, and left everything wide open, and disabled what security features were built-in to the software they were using.
Very Bad Practice.