IEEE database breached, personal info compromised

The Institute of Electrical and Electronics Engineers (IEEE) has notified the Attorney General of New Hampshire, the FBI and 828 of its members that a file containing the names, credit card numbers, expiration dates and security numbers of those members has been deleted – and likely copied – by intruders that managed to breach the association’s database.

The file was deleted on or about November 17, 2010, but the compromise was discovered in December. The IEEE hired a team of forensic investigators to determine who was behind the intrusion and what they were after.

The investigation was concluded in February 2011, and the result was the discovery of a number of system vulnerabilities that have since been patched and of the fact that that single file had been deleted.

The letter sent to the Attorney General also contained the letter sent to the affected members, in which the IEEE states that the data was accessed by a third party through a “sophisticated network intrusion”, that the information that was accessed was collected when they registered for an IEEE conference, and that they have no proof that the information was actually stolen.

They advised the recipients to review their credit and bank card statements to make sure that there were not unauthorized charges and offered them a one year subscription to an identity theft protection service.

But are credit card numbers the thing that the intruders were really after?

According to ThreatPost, it is quite possible and likely that the stolen data will be misused to mount phishing and social engineering attacks against the IEEE members affected. After all, the association has over 400,000 members, and most of them technical professionals that work in industries and organizations whose activities are surely of great interest to foreign governments.