The major website hacking of 2011—labeled “The Hack of the Year” by the media—has spilled over into a new year and is shaping up as a classic case history of how not to manage corporate communications and brand image in a crisis.
Stratfor.com’s holding page on Wednesday, Jan. 4, 2012:
It’s all about Stratfor, a global intelligence company in Austin, Texas, that has provided a steady flow of high level analyses of world events to thousands of subscribers, including governments, officials, CEOs, NGOs, world leaders and so on.
Stratfor’s website was hacked and taken down on Christmas Eve. In unconfirmed online postings, the alleged hackers claim to have stolen not only the company’s website and backup, but all of the company’s email records and unencrypted files that include customer names and all of their credit card data.
More than 10 days later, Stratfor.com is still offline with nothing more than a static holding page. It hasn’t been consistent, timely, respectful or transparent in its communications to subscribers who pay a pricey fee—starting at a base of $400 a year—for various levels of the intelligence reports. Quite the contrary, the company’s communications—mostly on their Facebook page—have been sparse, at best.
On Dec. 28, Stratfor posted on Facebook:
“As part of our ongoing investigation, we have also decided to delay the launching of our website until a thorough review and adjustment by outside experts can be completed.
We expect this to take approximately a week, but it might take longer—please bear with us as we recover from this unfortunate event.
In the meantime, we will not be deterred from doing what we do best: providing our customers with top-notch geopolitical analysis.
Therefore, while our website is being tested we will be sending geopolitical analysis to our members via email.”
While that update was posted on Facebook, it was not emailed to Stratfor’s subscribers, many of whom no doubt never follow Facebook. The company is in the business of emailing reports to subscribers but failed to provide this important update.
As any Stratfor subscriber knows, the “top-notch geopolitical analysis” emails have stopped. The lack of any updates or timely and substantive updates from the company could be interpreted as an outfit in serious trouble, true or not.
There are lessons already to be learned because communicators need to have a level of tech awareness about today’s digital era where the brands, images and reputations of companies can be shattered in nanoseconds.
Stratfor, which purports to be like a “shadow CIA” intelligence resource for thousands of companies and individuals, appears to have been a poster-child of poor Internet security itself:
1. Stratfor’s IT people never hid the company’s website IP numbers or the fact that its servers were located at a relatively small Internet hosting company, which probably would have been understaffed on Christmas Eve. This may be a small point but it suggests a careless approach to website security. Anyone can quickly see that information via Godaddy.com or any domain name registrar. Simply enter a search for ownership (called “WhoIs”) of Stratfor.com and it reveals the IP numbers and that the servers are located at a place called Corenap.com in Austin. This is akin to intentionally leaving your house keys in the driveway only to be surprised when you return home that the place has been ransacked.
Lesson to be learned: It costs $20 a year to hide such critical information.
2. Stratfor’s IT people not only hosted the company’s website on the server but also used it for company email, 200GB of which allegedly was stolen by the hackers. Lesson to be learned: Use an online server for website hosting only. Don’t pinch pennies. Use Google Pro Apps for powerful email service that is highly secure and runs separately.
3. Stratfor may have lacked a website backup due to the length that the site has been offline. Its site was built on a Microsoft website platform which is one reason companies like Lockheed Martin have switched to using WordPress for greater online security.
Lesson to be learned: Not all IT people are as smart as they think they are.
4. Most troubling of all. Stratfor apparently stored highly sensitive documents on the same server … unencrypted. Clients’ lists, credit card data, credit card pin numbers and other information seemingly were kept on the same server used to host the website. That was incomprehensibly reckless and naive, in my opinion. It possibly is in violation of law.
Lesson to be learned: When client and customer information is entrusted to a company, act responsibly. Security of client/customer information is paramount. Keep it offline and secured with encryption.
5. When a hacking occurs, get ahead of the social media buzz with openness, swiftness and transparency. Stratfor waited about 18 hours before posting a poorly written, repetitive and vaguely worded statement publicly on Facebook which seemed to be more about the company than its clients. The company has yet to enter the firestorm of negative details and sharing of company information happening on Twitter and other social media.
Lesson to be learned: When a crisis hits, respond instantly. You will be judged on how quickly you communicate. Show empathy, especially about stolen client information. Enter the online conversation even if you don’t have all the facts that the attorneys want you to have. The trust and reputation of a company may be at stake, like Stratfor.