CSO - It happened more than three and a half years ago. So it presumably would be old news that Chinese hackers broke into soft-drink behemoth Coca-Cola's computer systems and stole confidential files relating to its effort to acquire the China Huiyuan Juice Group for $2.4 billion.
But it is just coming to light now, through a report earlier this week in Bloomberg Businessweek. The story said the FBI contacted Coke executives on March 15, 2009, and told them hackers had been inside their system for a month. The attempted deal for Huiyuan collapsed three days later.
The U.S. Securities and Exchange Commission (SEC) requires companies to report to its shareholders any "material losses" from attacks, plus any information, "a reasonable investor would consider important to an investment decision."
Meredith Cross, director of the SEC's division of corporation finance, told Businessweek, "We think reasonable investors could care, depending on the specific facts and circumstances."
But Coca-Cola never disclosed the breach to its investors. Most companies don't. Bloomberg reported on breaches of the British energy company BG Group, the Chesapeake Energy and others that were never disclosed to investors.
When questioned about it, most company officials or representatives either declined to comment, or declared that they were in full compliance with all applicable laws.
The response of Coca-Cola spokesman Kent Landers was typical. "We make disclosures in our public filings when we believe they are appropriate and in accordance with the requirements of the federal securities laws," he told Businessweek.
One reason for the lack of transparency may be that Coca-Cola didn't discover the breach itself. It took notification from the FBI. That is common. Security experts regularly point out that many companies don't know they have been hacked until a third party tells them.
Breach victims also frequently don't know what was taken, who took it and how it is being used. So, since it is difficult to put a value on the loss, they argue that it is not a material event, and therefore not subject to that SEC regulation.
David C. Vladeck, director of the Federal Trade Commission's (FTC) Bureau of Consumer Protection, made that point at a recent press conference, saying that the question of when major data breaches should be reported is "difficult. We don't necessarily have the right answers."
Stewart Baker, a partner at Steptoe & Johnson LLP and former assistant secretary for policy at the Department of Homeland Security, told Businessweek, "All of the ambiguities stack the deck against disclosure."
[See related: EPA data breach highlights worrying trend]
The SEC did not respond to questions about whether its regulations need to be less ambiguous. The agency does have a page on its website with "disclosure guidelines" from its Division of Corporate Finance.
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!