Bloomberg’s Ben Elgin, Dune Lawrence and Michael Riley recently reported that Coca-Cola was hacked in early 2009, but never disclosed the breach to investors.
“The attack was launched … with the aim of exfiltrating files relating to Coca Cola’s ultimately unsuccessful $2.4bn acquisition of China Huiyuan Juice Group,” writes The Register’s Phil Muncaster. “China’s Ministry of Commerce eventually rejected the deal after raising competition concerns.”
“Once inside, the hackers struck quickly,” the Bloomberg article states. “In the first two days, they uploaded a dozen tools allowing them to steal e-mails and documents, installed a keystroke logger on the machine of a top executive in Hong Kong, and stole computer account passwords for other Coca-Cola employees, including those with administrative powers, to help them move freely across the company’s network, according to [a Coca-Cola] report.”
“The FBI knew about it,” writes Threatpost’s Anne Saita. “Coca-Cola knew about it. But shareholders were kept in the dark. … The Coke case … shines a light on the lack of corporate disclosures of data breaches for fear they will damage stock prices. The Security and Exchange Commission says companies must report any material losses from cyber attacks; however, what constitutes a ‘material loss’ leaves a lot to [interpretation].”
“We shouldn’t expect private businesses to take a leap of faith and become more open on data breaches any time soon,” writes TechWeekEurope’s Tom Brewster. “In a world where businesses are beholden to their shareholders, and where talking about security events remains an unnecessary, harmful taboo, silence is still golden. And yet we all suffer because of it.”