When hackers crack into a Fortune 500 company, they’re usually not there to post funny cat pictures on the servers. With proper skills and timing, the right group of hackers can steal millions of dollars worth of intellectual property and sideline billion-dollar business deals. What’s even more impressive is that they can usually do so without the company even realizing that data have been compromised. But when firms do know, they probably feel a little bit silly and they often sweep all of the evidence under the rug when it comes time to make disclosures to their shareholders about what’s been happening at the company. By law, they don’t have to say a word about hacker attacks, regardless of how much it might’ve cost their bottom line.
Take Coca-Cola, for instance. This week, Bloomberg dug up the details of what might’ve been a catastrophic hack at Coca-Cola back in 2009, when the sugar water dealer was in the final stages of acquiring China’s Huiyuan Juice Group for $2.4 billion. The deal was first announced on September 3, 2008, and at the time, deputy president of Coca-Cola’s Pacific Group Paul Etchells said he was confident that Chinese anti-trust officials would give the acquisition the go-ahead. A State Department cable obtained and released by WikiLeaks shows that Coke met with China’s Ministry of Commerce a dozen times and with regulators 18 times. Then the hackers showed up.
The hack that appears to have destroyed the deal didn’t look much different than your everyday piece of email spam. On February 16, 2009, Etchells received an email with the subject line “Save power is save money! (from CEO)” that appeared to come from another executive and included an attachment that was supposed to be a message from the CEO. Etchells clicked on the attachment and in a split second gave hackers access to everything on his computers. The hackers also installed a keystroke logger so they could see everything that Etchells was typing. Ten days later, the hackers went after other Coke executives in the region.
It’s unclear what may have been stolen, and by whom. But what is clear is that on March 18, 2009, the Chinese Ministry of Commerce rejected the company’s $2.4 billion deal. Officially, it was due to a sudden concern over anti-trust violations, but the timing is suspicious. Coke hasn’t finalized an acquisition in China since and never said a word to shareholders.
It would be one thing if Coke’s bad luck with hackers was an isolated event, but it’s not. Comment, the group of Chinese hackers suspected in the Coke breach, also broke into the computers of the world’s largest steel company, ArcelorMittal. They stole some PowerPoint presentations, maybe some emails, and possibly a bunch of files. Frankly, ArcelorMittal doesn’t know exactly how much was stolen and didn’t think it was relevant to share news of the attack with its shareholders. Same goes for Lockheed Martin who fended off a “significant and tenacious” attack last May but failed to disclose the details to investors and the Securities Exchange Commission. Dupont got hit twice by Chinese hackers in 2009 and 2010 and didn’t say a word.
I could keep going — for longer than you’d likely care to read. Former U.S. counterintelligence chief Joel Brenner recently said that over 2,000 companies, ISPs and research centers had been hit by Chinese hackers in the past decade and frightfully few of them told their shareholders about it. This is even after the SEC has made multiple requests for companies to come clean about cyber security breaches in their quarterly or annual earnings reports. "It doesn’t square that billions of dollars in intellectual property is being lost and investors don’t care,” Jacob Olcott, a former staff expert on cybersecurity for the Senate Commerce Committee, told Bloomberg. “Companies will think of every single reason not to report these incidents, which is why the investor side of things really needs to take control of these issues.”
One of the companies that’s been uniquely open so far is actually Google. And seriously, when the company being investigated by the government for everything from anti-trust violations to patent infringement is leading the way, things are really backwards.
Tough as it is to admit, there’s no easy way for the SEC to force companies to comply with their requests. In some cases, the companies don’t even know they’ve been targeted by hackers until well after the attack. Sometimes, they give passing mention to an incident with boilerplate language about a security breach or the risk of data theft. They’re not likely to admit that hackers cost them billions, though. Unless rules change, it looks like if the SEC is going to get any serious hacking disclosure at all, they’ll need the help of a few companies leading the way on the disclosures.