In September 2008, Coca-Cola made a $2.4 billion acquisition bid for the Huiyan Juice Group in what would have been the largest foreign takeover of a Chinese company at the time. The deal ultimately did not clear China's internal antitrust review panel, and both sides respectfully walked away from the negotiating table in March 2009. But according to Bloomberg, there is much more to that story than meets the eye. Network security logs and anonymous interviews obtained by the financial news site have suggested that Coca-Cola was the victim of several targeted cyberattacks that it chose not to disclose to regulators, investors or even employees.
High stakes spear phishing
The first traces of unauthorized activities surfaced on Coca-Cola's networks in February 2009. According to Bloomberg, Coca-Cola's Pacific Group deputy president Paul Etchells was the recipient of a phishing email the co-opted the account of legal executive Bernhard Goepelt. The subject line made reference to the company's ongoing energy efficiency initiatives and contained a link that purported to contain strategic information supplied by Coca-Cola's CEO. Once Etchells clicked on the fraudulent link, a flood of malware was loaded onto his machine – including keylogging software which tracked everything he typed in the following weeks.
Shortly after Etchells's system had been compromised, public affairs executive Brenda Lee found herself faced with a similar phishing email disguising itself as a media advisory from the Beijing office of the World Bank. According to Bloomberg, their two machines would serve as the staging ground for attacks that would ultimately provide hackers with administrator passwords and remote control over several laptops, workstations and even servers on the infected network.
This intelligence was made available to Coca-Cola executives – just days before the deal broke down – by FBI officials monitoring cyber espionage attempts in the region. However, news of the data security incidents never made its way down to investors or out to the general public.
According to Bloomberg, U.S. Securities and Exchange Commission mandates now require companies to report any "material losses" that occur as a result of cyberattacks and any related information that a "reasonable investor" would deem significant. However, the ambiguous language of this legislation has allowed Coca-Cola and others to keep unfortunate incidents under wraps.
"Investors have no idea what is happening today," former Congressional cyber policy advisor, Jacob Olcott, told reporters. "Companies currently provide little information about material events that occur on their networks."
Industrial espionage has become an unfortunate reality in today's network environments, and Coca-Cola is by no means the only big-name brand to suffer a significant attack when weighing operational expansion plans.
Bloomberg obtained similar reports related to an incident affecting British oil and gas giant BG Group in 2011. According to computer forensic experts associated with the mitigation and resolution effort, hackers walked away with sensitive data such as geological maps and drilling records in what was described as a "massive" breach. Yet interestingly enough, not even the company's IT staff or adjacent departments lining up new contracts were made aware of the incident.
Chesapeake Energy, the second-largest U.S. natural gas provider, suffered nearly the same fate. According to security logs reviewed by Bloomberg, hackers targeted a third-party consultant who had been assisting Chesapeake in the sale of natural gas leases at sites based in Ohio, Kansas and Oklahoma. In a three-hour stint inside the consultant's computer systems, criminals were able to identify, encrypt and extract several PowerPoint presentations related to the company's strategic dealings.
However, just as Coca-Cola and BG before, Chesapeake elected not to disclose details at the time of the incident or in recent interviews. According to Bloomberg, the only hints supplied to investors have been a series of obligatory disclaimers included within regulatory filings to suggest that a hypothetical cyberattack could jeopardize confidential and financially sensitive client information.
"Like most major corporations, the company's information systems are a target of attacks," read one section of Coca-Cola's 2011 annual report.
On some level, it is understandable that companies would take every legally defensible precaution to ensure data security incidents are not publicly disclosed. As TechWeek Europe columnist Tom Brewster noted, most businesses are reticent to appear vulnerable in an economic landscape that is very much built on confidence. Additionally, the disclosure of such vulnerabilities could attract a new wave of attacks from opportunistic hackers.
The damage done to brands such as Sony, following its PlayStation Network breach in 2011, is also fresh in executive memories. Between tumbling stock prices, customer lawsuits and state-of-the art security upgrades, Sony's bottom line took several significant hits after its vulnerabilities became front page news.
But what companies don't realize, according to Brewster, is that owning up to shortcomings may be a much wiser investor relations strategy. Although they may lose business in the short term, the impact will likely be much less than than it could be if buried incidents come to light down the road and clients feel as though their trust has been abused.
More importantly, Brewster believes this open and honest discussion of security incidents will be instrumental in fueling the collective innovation of defense strategies.
"As Art Coviello, head of security giant RSA, said earlier this year, when one of us gets hit, we all get hit," Brewster wrote. "By the same token, if one of us gets better secured – and shares the knowledge – we are all better secured."
Data Security News from SimplySecurity.com by Trend Micro