Hackers broke into Coca-Cola's computer systems in March 2009 and pilfered sensitive files about company's failed attempt to acquire China Huiyuan Juice Group for US$2.4B, sources say
BEIJING, HONG KONG and LONDON
November 5, 2012
– FBI officials quietly approached executives at Coca-Cola Co. on March 15, 2009, with some startling news.
Hackers had broken into the company’s computer systems and were pilfering sensitive files about its attempted $2.4 billion acquisition of China Huiyuan Juice Group, according to three people familiar with the situation and an internal company document detailing the cyber intrusion. The Huiyuan deal, which collapsed three days later, would have been the largest foreign takeover of a Chinese company at the time.
Coca-Cola, the world’s largest soft-drink maker, has never publicly disclosed the loss of the Huiyuan information, despite its potential effect on the deal. It is just one in a global barrage of corporate computer attacks kept secret from shareholders, regulators, employees -- and in some cases even from senior executives.
When hackers last year waged a large-scale attack on BG Group Plc, raiding troves of sensitive data, the British energy company never made it public. Chesapeake Energy Corp. also kept mum after cyber attackers made off with files from its investment banking firm about natural gas leases that were up for sale.
Each of these cases was detailed to Bloomberg News either by people involved in remediating the situation or executives briefed on the details, who asked not to be identified because the information wasn’t public; or in computer logs compiled by researchers monitoring the activities of hackers in China.
Digital intruders are increasingly targeting information about high-stakes business deals -- from mergers and acquisitions to joint ventures to long-term supply agreements -- and companies routinely conceal these breaches from the public, say government officials and security companies.
Such thefts are tilting the playing field, putting compromised companies at a disadvantage in business negotiations and, in turn, leaving investors in the dark, they say.
“Investors have no idea what is happening today,” says Jacob Olcott, a former cyber policy adviser to the U.S. Congress. “Companies currently provide little information about material events that occur on their networks.”
In the U.S., the Securities and Exchange Commission last year said that companies are required to report any material losses from such attacks, and any information “a reasonable investor would consider important to an investment decision.”
“We don’t credit the idea that no one would care,” says Meredith Cross, director of the SEC’s division of corporation finance. “We think reasonable investors could care depending on the specific facts and circumstances.”
Many companies worry such news could batter their reputation and stock price. “They fear that bringing this to the public will do them more harm than good,” says Michael Oberlaender, who has worked as the top information-security executive at companies in the U.S. and Germany.
A striking aspect of the wave of corporate hacking is how little is sometimes known about the information taken, much less who is taking it and how it’s being used. Without complete answers, it can be difficult for companies to attach a dollar figure to the losses.
“All of the ambiguities stack the deck against disclosure,”, says Stewart Baker, a partner at Steptoe & Johnson LLP and former assistant secretary for policy at the Department of Homeland Security.
Despite the estimated $60 billion invested by corporations and governments in network security systems, hackers continue to circumvent them.
The Coca-Cola report provides a rare and chilling account of the intricate and determined ways that hackers raided its files -- from pilfering internal e-mails to gaining the ability to access almost any Microsoft Windows server, work station or laptop on the network with full remote control.
Computer hackers made daily incursions through Coca-Cola networks over a period of at least one month, often using systems that were first compromised by infected e-mails sent to company executives. The messages were disguised to look authentic but actually contained malicious software, or malware, that gave intruders a pipeline into the company’s networks, according to the report.
In the first two days, the hackers uploaded a dozen tools allowing them to steal e-mails and documents, installed a keystroke logger on the machine of a top executive in Hong Kong, and stole computer account passwords for other Coca-Cola employees, including those with administrative powers, to help them move freely across the company’s network, according to the report.
It is unclear whether the attack played a role in the demise of the Huiyuan acquisition.
Coca-Cola spokesman Kent Landers said the company wouldn’t discuss “security matters,” adding in a statement that it “manages security risks in conjunction with the appropriate security and law enforcement organizations around the world.”
“We make disclosures in our public filings when we believe they are appropriate and in accordance with the requirements of the federal securities laws,” he added.
Jenny Shearer, a spokeswoman for the Federal Bureau of Investigation in Washington, declined to comment.
Like many other corporate cyberattacks, it appears that hackers in China were behind the Coca-Cola breach.
While the internal Coke report says the intruders were state-sponsored, its details, including the types of malware and techniques used, suggest they are part of Comment group, one of the most prolific hacking groups based in China, according to AlienVault, a San Mateo, California-based security firm.
Companies doing business in China or competing against Chinese rivals should expect hackers will go after their most confidential files, says James Lewis, a senior fellow who studies cybersecurity at the Center for Strategic and International Studies in Washington.
The Chinese Foreign Ministry said accusations that China engaged in broad hacking efforts are unfair “without concrete evidence and investigation.”
“China is also a major victim of cyberattacks,” ministry spokesman Hong Lei said at a press briefing last week.
Many companies tightly restrict knowledge of computer breaches and swear consultants to confidentiality, requiring them to destroy documents and erase hard drives upon finishing their work, according to more than dozen information-security managers.
BG Group last year discovered a breach in its computer networks described as massive by four people knowledgeable about it. It was kept under wraps inside the company, three of the people said.
The hack targeted information such as geological maps and drilling records, and far-flung data from the worldwide network going back at least a year, according to a one of them.
“BG Group fully complies with all relevant market disclosure guidelines and regulatory requirements,” spokesman Mark Todd said. He declined to discuss any specific event.
To gain access to confidential deal information, hackers often target organizations that handle sensitive documents on a company’s behalf, such as banks and law firms.
Intruders took that approach last year in a breach that ultimately targeted Chesapeake Energy, the second-largest U.S. natural gas producer, according to a person familiar with the situation and computer logs viewed by Bloomberg News. The logs indicate that Comment group obtained information about Chesapeake’s efforts to sell natural-gas leases by hacking into an office of Jefferies Group Inc., which is advising on the sales.
Neither Chesapeake nor Jefferies disclosed the hack to shareholders. A Chesapeake spokesman, Jim Gipson, didn’t reply to requests for comment.
“Information security is a high priority at Jefferies and we make all appropriate effort to safeguard client information,” says Richard Khaleel, a spokesman for Jefferies.
--With assistance from Frank Longid, Cathy Chan, and Aibing Guo in Hong Kong; Kevin Hamlin in Beijing; Duane Stanford in Atlanta; and Kitty Donaldson in London. Editors: Marcia Myers, Melissa Pozsgay
To contact the reporters on this story: Ben Elgin in San Francisco at firstname.lastname@example.org; Dune Lawrence in New York at email@example.com; Michael Riley in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Melissa Pozsgay at email@example.com; or Gary Putka at firstname.lastname@example.org
-0- Nov/05/2012 15:25 GMT