Coke Cyber-Attack Raises Corporate Disclosure Issues


Undeterred by Coca-Cola’s privacy policy, the company’s corporate website was attacked by Chinese hackers in March 2009 — but nobody knew, because the company decided against disclosing the breach publically after the FBI informed them.

Blooomberg reveals that the hackers spent one month “pilfering sensitive files” about Coca-Cola’s attempt to acquire China Huiyuan Juice Group for $2.4 billion. If successful, the transaction would have been the largest foreign takeover of a Chinese company ever. The breach started with malware-infected e-mails to Coca-Cola’s senior executives which, when opened, enabled the hackers to infiltrate the network and steal proprietary information. Once revealed, the Huiyuan deal collapsed three days later.[more]

An estimated $60 billion is spent annually by corporations and governments on network security systems that skilled hackers continue to breach, and not disclosing circumvention is not uncommon. ArcelorMittal, Chesapeake Energy Corp, Apollo Group, Dupont, BG Group Plc and Verisign have also been victims.

“One of the most pressing questions faced by companies that suffer a data breach is whether the choice not to disclose is in compliance with legal requirements,” notes Compliance Week. “According to the Securities and Exchange Commission, companies must report any material losses from cyber-attacks and any information that “a reasonable investor would consider important” when deciding whether to invest. Most companies, however, say they do not consider hacks to be a material event that would require a disclosure by the SEC.” 

One example of how Coca-Cola execs were duped by hackers: Paul Etchells, then deputy president of Coca-Cola’s Pacific Group, clicked on an email in his in-box on March 3, 2009, with the subject line: “Save power is save money! (from CEO)” that appeared to be from Bernhard Goepelt, at the time a legal executive in the company’s Pacific Group and today, svp and general counsel, the malware insidiously loaded, followed by a keystroke logger, capturing every stroke Etchells typed and opening the system to further breach of other executives in the territory.

“Digital intruders are increasingly targeting information about high-stakes business deals — from mergers and acquisitions to joint ventures to long-term supply agreements — and companies routinely conceal these breaches from the public, say government officials and security companies,” notes Bloomberg. “Investors have no idea what is happening today,” adds Jacob Olcott, a former cyber policy adviser to the U.S. Congress. “Companies currently provide little information about material events that occur on their networks.” 

Bloomberg hears that the hackers were likely part of the China-based Comment Group, one of the most prolific and far-reaching hacker networks with reported links to the Chinese military. “This has been a part of their plan to catch up to the West,” said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington. “You steal their technology, you steal their business secrets.” 

Coca-Cola told the BBC in a statement: “Our company’s security team manages security risks in conjunction with the appropriate security and law enforcement organisations around the world. As a matter of practice, we do not comment on security matters.”

Still, it raises the bigger question: do companies have a responsibility to their shareholders and customers to disclose cyber-attacks?


Leave a Reply

Your email address will not be published. Required fields are marked *