Up to 142 000 Subscribers to Kiplinger Magazines Hacked (Updated)

Last Friday, Bloomberg News ran a story reporting that Kiplinger Washington Editors Inc., the publisher of Kiplinger's Personal Finance Magazine, had announced cyber intruders had penetrated its networks and had made off with the "user names, passwords, and encrypted credit card numbers from as many as 142 000 subscribers" to its magazines, including the popular Kiplinger Letter.

WTOP, a Washington, D.C., radio news station, reported on Saturday that the number of Kiplinger subscribers hacked was closer to 177 000, that information on 43 000 encrypted credit cards had been stolen, and that the company was "still trying to get to the bottom" of what was actually taken.

WTOP quoted Doug Harbrecht, new media director for Kiplinger's Personal Finance Magazine, as saying, "It looks like the hackers first tried in May and then came back on June 25. That's when we spotted them and shut them down."

Updated 14 July 2011:

Mr. Harbrecht sent a note saying, "The 177,000 number is incorrect. Up to 142,000 user names, passwords, and encrypted credit cards may have been accessed, our forensic investigation found, but we believe the numbers at risk are not that high."

Kiplinger only began notifying customers on 8 July, after it had notified the FBI, which is said to be looking into the matter. Looking at Kiplinger's FAQ page, there doesn't seem to be any additional information concerning the hack attack.

(Note, Mr. Harbrecht also said that their FAQ has been updated.)

Kiplinger's subscriber demographic is the generally affluent investor—a ripe target for hackers seeking financial rewards. Another subscriber demographic that makes for a tempting target for foreign intelligence services is the individuals who subscribe to defense magazines, which may explain another cyber intrusion announced about two weeks ago.

The Los Angeles Times reported that Gannett Government Media, which produces the Defense News, Defense News TV, the Armed Forces Journal, the Federal Times, Military Times, Military Times Edge, Army Times, Navy Times, Air Force Times, Marine Corps Times, the C4ISR Journal, and the Training and Simulation Journal, had its Web servers hacked.

According to the Times story, Gannett informed subscribers that the information taken included

 your first and last name, user ID, password, e-mail address, the internal number we assigned to your account, and if you provided the information, your ZIP code, duty status, pay grade, and branch of service.

The attack, Gannett admitted, took place on 7 June, but those likely affected were not notified until 27 June. By way of explanation for the delay, Gannett said:

We have been working with an outside computer forensics company to help us investigate the breach and strengthen our security controls. We deeply regret any inconvenience that this may cause and appreciate your understanding. We take the security and privacy of your information very seriously and will continue to work diligently to protect your information.

The subscriber list to Gannett publications includes high-ranking members of the military, defense officials, and defense contractors. Gannett suggested that its customers "reset or strengthen" their passwords to their online Gannett magazine accounts; it probably should also have reminded those same customers not to use the same passwords for both their work and online accounts, which many undoubtedly have done.