Someone hacked tech analyst Forrester to steal its industry reports

Hackers broke into IT research firm Forrester’s website to steal its analyst reports, according to the company. 

The US analyst offered a sparse disclosure to investors on Friday about a “cyber incident” affecting its website Forrester.com, stating that it had no evidence that hackers had accessed “confidential client data, financial information, or confidential employee data” but had stolen the reports it makes available to customers through its website. 

The firm charges several hundreds dollars for access to individual reports, which offer enterprise technology buyers a deep dive into cloud platforms from Microsoft, Google, and Amazon, CRM software, analytics platforms, and cyber security.

"We recognize that hackers will attack attractive targets — in this case, our research IP,” said George F. Colony, chairman and chief executive officer of Forrester.

“We also understand there is a tradeoff between making it easy for our clients to access our research and security measures. We feel that we have taken a common-sense approach to those two priorities; however, we will continuously look at that balance to respond to changing cybersecurity risk."

The company’s statement doesn’t address how the breach occurred or the time between discovery and the incident occurring. CSO Online has asked Forrester for answers and will update the story if it receives any.

While stolen tech analyst reports might not pose a threat to individual users of the service, the information may be be valuable to perpetrators of highly targeted attacks, and follows breaches at the US Securities and Exchange commission, Deloitte, and several press release firms that have access to financial information of publicly traded companies prior to their official release. 

The breach also carries a risk to the firm’s reputation as provider of advisory and research services. 

Forrester’s chief business technology officer, Steven Peltzman, said in a company blog that it wasn’t an insider job, that it and not a third-party discovered the breach, and that it’s incident response plan operated as expected.

These are areas of cybersecurity it has published research about and that it’s analysts have commented on in news reports about data breaches affecting larger companies. 

In an article about Yahoo’s massive email hack, a Forrester analyst criticized Yahoo for the length of time it took “to discover, verify, come clean, and inform users”. Another Forrester analyst recently commented on the scale and cost of the Equifax hack, which occurred due to the credit reporting agency’s failure to patch a known flaw in the Apache Struts web framework software it used on its web servers.  

Peltzman’s post doesn’t explain how the attackers got in, but says they stole multiple valid Forrester.com user credentials to access the research papers. 

An “outside hacker stole valid Forrester.com user credentials that gave the hacker access to forrester.com” and used it to access research reports normally restricted to subscribers, according to Peltzman. 

He said Forrester detected the attack “as it was underway and took immediate action to stop the attack and limit impact.”  

Tags forresterbreach disclosure

Show Comments