CSO - It happened more than three and a half years ago. So it presumably would be old news that Chinese hackers broke into soft-drink behemoth Coca-Cola's computer systems and stole confidential files relating to its effort to acquire the China Huiyuan Juice Group for $2.4 billion.
But it is just coming to light now, through a report earlier this week in Bloomberg Businessweek. The story said the FBI contacted Coke executives on March 15, 2009, and told them hackers had been inside their system for a month. The attempted deal for Huiyuan collapsed three days later.
The U.S. Securities and Exchange Commission (SEC) requires companies to report to its shareholders any "material losses" from attacks, plus any information, "a reasonable investor would consider important to an investment decision."
Meredith Cross, director of the SEC's division of corporation finance, told Businessweek, "We think reasonable investors could care, depending on the specific facts and circumstances."
But Coca-Cola never disclosed the breach to its investors. Most companies don't. Bloomberg reported on breaches of the British energy company BG Group, the Chesapeake Energy and others that were never disclosed to investors.
When questioned about it, most company officials or representatives either declined to comment, or declared that they were in full compliance with all applicable laws.
The response of Coca-Cola spokesman Kent Landers was typical. "We make disclosures in our public filings when we believe they are appropriate and in accordance with the requirements of the federal securities laws," he told Businessweek.
One reason for the lack of transparency may be that Coca-Cola didn't discover the breach itself. It took notification from the FBI. That is common. Security experts regularly point out that many companies don't know they have been hacked until a third party tells them.
Breach victims also frequently don't know what was taken, who took it and how it is being used. So, since it is difficult to put a value on the loss, they argue that it is not a material event, and therefore not subject to that SEC regulation.
David C. Vladeck, director of the Federal Trade Commission's (FTC) Bureau of Consumer Protection, made that point at a recent press conference, saying that the question of when major data breaches should be reported is "difficult. We don't necessarily have the right answers."
Stewart Baker, a partner at Steptoe & Johnson LLP and former assistant secretary for policy at the Department of Homeland Security, told Businessweek, "All of the ambiguities stack the deck against disclosure."
[See related: EPA data breach highlights worrying trend]
The SEC did not respond to questions about whether its regulations need to be less ambiguous. The agency does have a page on its website with "disclosure guidelines" from its Division of Corporate Finance.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!