Coca-Cola’s computer system has been hacked and sensitive info belonging to Paul Etchells, deputy president of the pacific division, has been taken from his computer account. This is not new news, but something that the FBI informed the multinational company about back in March of 2009. The hacking act seemed to be aimed at information on the attempted acquisition of China Huiyuan Juice Group. The loss of the Huiyuan information was never released by Coca-Cola Co. to anyone.
The hacking act in 2009 was carried out in a classic way, through malware that infected the official’s computer through a link in a bogus e-mail and a keystroke logger. Other Coca-Cola officials were targeted in similar ways and the malicious hackers gained access to sensitive info and e-mails on the Huiyuan deal.
The acquisition never happened as the China government rejected it, and it is unclear if the cyber attack had anything to do with the decision. It appeared from investigations, however, that the attack came from hackers based in China.
The Huiyuan deal was a $2.4 billion operation. It was an offer from Coca-Cola to take over the Huiyuan Group, which is considered one of China’s main manufactures and sellers of juice products.
The data breach was never reveled if not in an internal company statement. The public and, especially, Coca-Cola investors, were never advised. This is consistent with the behavior of several other large companies that, when subjected to malicious hackers attacks, have decided not to disclose the incidents to anyone and, worst, chose to keep it secret from shareholders, regulators, employees and occasionally from senior executives.
For example, British energy company BG, ArcelorMittal and Chesapeake Energy Corporation had all suffered the loss of sensitive data through intruder attacks or cyber attacks and decided not to release any information to their investors.
The U.S. Security and Exchange Commission now require that all material changes in business or profitability as a result of an attack caused by hackers be made available to the public; this includes anything that could potentially affect the decisions of an investor or could make an impact on a company’s future competitiveness.
In spite of this, companies still believe the information from a computer intrusion would not be relevant and therefore its disclosure would be more harmful than helpful.
In many cases it is also hard to speculate on the worth and the extent of the data compromised, so companies prefer concealing the event to preserve their reputation and not scare investors into thinking their security measures are not valid. Investor advocates, however, insist that this information could potentially influence investors’ decisions and therefore should be released as per current regulations.
Companies’ attitude toward the disclosure can be understood, but investors should be able to judge the safety of their investment by having the appropriate information regarding the loss or destruction of data. Also, information on these large-scale breaches ought to be released with the idea to serve as a wakeup call to help improve security, not only at the system level through complicated security software, but also at the user level. Users, in fact, are normally seen as the weakest link in the cybersecurity chain; possibly, this is due to the lack of a cyber education, or a false sense of security.