CSO - It happened more than three and a half years ago. So it presumably would be old news that Chinese hackers broke into soft-drink behemoth Coca-Cola's computer systems and stole confidential files relating to its effort to acquire the China Huiyuan Juice Group for $2.4 billion.
But it is just coming to light now, through a report earlier this week in Bloomberg Businessweek. The story said the FBI contacted Coke executives on March 15, 2009, and told them hackers had been inside their system for a month. The attempted deal for Huiyuan collapsed three days later.
The U.S. Securities and Exchange Commission (SEC) requires companies to report to its shareholders any "material losses" from attacks, plus any information, "a reasonable investor would consider important to an investment decision."
Meredith Cross, director of the SEC's division of corporation finance, told Businessweek, "We think reasonable investors could care, depending on the specific facts and circumstances."
But Coca-Cola never disclosed the breach to its investors. Most companies don't. Bloomberg reported on breaches of the British energy company BG Group, the Chesapeake Energy and others that were never disclosed to investors.
When questioned about it, most company officials or representatives either declined to comment, or declared that they were in full compliance with all applicable laws.
The response of Coca-Cola spokesman Kent Landers was typical. "We make disclosures in our public filings when we believe they are appropriate and in accordance with the requirements of the federal securities laws," he told Businessweek.
One reason for the lack of transparency may be that Coca-Cola didn't discover the breach itself. It took notification from the FBI. That is common. Security experts regularly point out that many companies don't know they have been hacked until a third party tells them.
Breach victims also frequently don't know what was taken, who took it and how it is being used. So, since it is difficult to put a value on the loss, they argue that it is not a material event, and therefore not subject to that SEC regulation.
David C. Vladeck, director of the Federal Trade Commission's (FTC) Bureau of Consumer Protection, made that point at a recent press conference, saying that the question of when major data breaches should be reported is "difficult. We don't necessarily have the right answers."
Stewart Baker, a partner at Steptoe & Johnson LLP and former assistant secretary for policy at the Department of Homeland Security, told Businessweek, "All of the ambiguities stack the deck against disclosure."
[See related: EPA data breach highlights worrying trend]
The SEC did not respond to questions about whether its regulations need to be less ambiguous. The agency does have a page on its website with "disclosure guidelines" from its Division of Corporate Finance.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!