Nov. 5 (Bloomberg) -- FBI officials quietly approached executives at Coca-Cola Co. on March 15, 2009, with some startling news.
Hackers had broken into the company’s computer systems and were pilfering sensitive files about its attempted $2.4 billion acquisition of China Huiyuan Juice Group, according to three people familiar with the situation and an internal company document detailing the cyber intrusion. The Huiyuan deal, which collapsed three days later, would have been the largest foreign takeover of a Chinese company at the time.
Coca-Cola, the world’s largest soft-drink maker, has never publicly disclosed the loss of the Huiyuan information, despite its potential effect on the deal. It is just one in a global barrage of corporate computer attacks kept secret from shareholders, regulators, employees -- and in some cases even from senior executives.
When hackers last year waged a large-scale attack on BG Group Plc, raiding troves of sensitive data, the British energy company never made it public. Luxembourg-based steel maker ArcelorMittal also kept mum when intruders targeted, among others, its executive overseeing China. As did Chesapeake Energy Corp., after cyber attackers made off with files from its investment banking firm about natural gas leases that were up for sale.
Each of these cases was detailed to Bloomberg News either by people involved in remediating the situation or executives briefed on the details, who asked not to be identified because the information wasn’t public; or in computer logs compiled by researchers monitoring the activities of hackers in China.
Digital intruders are increasingly targeting information about high-stakes business deals -- from mergers and acquisitions to joint ventures to long-term supply agreements -- and companies routinely conceal these breaches from the public, say government officials and security companies.
Such thefts are tilting the playing field, putting compromised companies at a disadvantage in business negotiations and, in turn, leaving investors in the dark, they say.
“Investors have no idea what is happening today,” says Jacob Olcott, a former cyber policy adviser to the U.S. Congress. “Companies currently provide little information about material events that occur on their networks.”
In the U.S., the Securities and Exchange Commission last year said that companies are required to report any material losses from such attacks, and any information “a reasonable investor would consider important to an investment decision.”
“We don’t credit the idea that no one would care,” says Meredith Cross, director of the SEC’s division of corporation finance. “We think reasonable investors could care depending on the specific facts and circumstances.”
Yet no company has publicly disclosed the theft of sensitive deal-related information from a computer intrusion, says Olcott, a principal at Good Harbor Consulting, an Arlington, Virginia-based company that provides security risk management services.
Many companies worry that such news could batter their reputation and stock price, according to more than a dozen information-security managers.
“They fear that bringing this to the public will do them more harm than good,” says Michael Oberlaender, who has worked as the top information-security executive at companies in the U.S. and Germany.
A striking aspect of the wave of corporate hacking is how little is sometimes known about the information taken, much less who is taking it and how it’s being used, say security researchers.
Without complete answers, it can be difficult for companies to attach a dollar figure to the losses. Most don’t deem hacks to be a material event, which would require disclosure to shareholders, says Stewart Baker, a partner at Steptoe & Johnson LLP and former assistant secretary for policy at the Department of Homeland Security.
“All of the ambiguities stack the deck against disclosure,” he says.
Despite the estimated $60 billion invested by corporations and governments in network security systems, hackers continue to circumvent them.
The Coca-Cola report provides a rare and chilling account of the intricate and determined ways that hackers raided its files -- from pilfering internal e-mails to gaining the ability to access almost any Microsoft Windows server, work station or laptop on the network with full remote control.
Computer hackers made daily incursions through Coca-Cola networks over a period of at least one month, often using systems that were first compromised by infected e-mails sent to company executives. The messages were disguised to look authentic but actually contained malicious software, or malware, that gave intruders a pipeline into the company’s networks, according to the report.
Once inside, the hackers struck quickly. In the first two days, they uploaded a dozen tools allowing them to steal e-mails and documents, installed a keystroke logger on the machine of a top executive in Hong Kong, and stole computer account passwords for other Coca-Cola employees, including those with administrative powers, to help them move freely across the company’s network, according to the report.
It is unclear whether the attack played a role in the demise of the Huiyuan acquisition.
Coca-Cola spokesman Kent Landers said the company wouldn’t discuss “security matters,” but in a statement said it “manages security risks in conjunction with the appropriate security and law enforcement organizations around the world.”
“We make disclosures in our public filings when we believe they are appropriate and in accordance with the requirements of the federal securities laws,” he added.
Jenny Shearer, a spokeswoman for the Federal Bureau of Investigation in Washington, declined to comment.
Like many other corporate cyberattacks, it appears that hackers in China were behind the Coca-Cola breach.
While the internal Coke report says the intruders were state-sponsored, its details, including the types of malware and techniques used, suggest they are part of Comment group, one of the most prolific hacking groups based in China, according to AlienVault, a San Mateo, California-based security firm.
“It’s very clear that Comment is behind it,” says Jaime Blasco, head of AlienVault’s security lab.
Comment has extensive reach, Bloomberg News reported in July, having penetrated computer networks from the European Union Council to powerful Washington law firms to workers at a U.S. nuclear power plant.
Companies doing business in China or competing against Chinese rivals should expect hackers will go after their most confidential files, says James Lewis, a senior fellow who studies cybersecurity at the Center for Strategic and International Studies in Washington.
“This has been a part of their plan to catch up to the West,” Lewis says. “You steal their technology, you steal their business secrets.”
The theft of deal-related information has become widespread even as it remains mostly secret, so much so that U.K. Foreign Secretary William Hague said in a speech in October that it has the potential to affect the trajectory of the global economy.
“If these attacks are left unchecked, they could have a devastating impact on the future earning potential of many major companies and the economic well-being of countries,” Hague said.
The Chinese Foreign Ministry said accusations that China engaged in broad hacking efforts are unfair “without concrete evidence and investigation.”
“China is also a major victim of cyberattacks,” ministry spokesman Hong Lei said at a press briefing last week. “We hope to engage in active and practical international cooperation so as to jointly ensure Internet security.”
China’s Ministry of Commerce didn’t respond to a request for comment.
Many companies tightly restrict knowledge of computer breaches to a select handful of staffers and swear consultants to confidentiality, requiring them to destroy documents and erase hard drives upon finishing their work, according to the more than dozen information-security managers.
Take, for instance, an intrusion last year at BG Group that has never been disclosed to shareholders. The company, which posted $21 billion in revenue in 2011, discovered a breach in its computer networks described as massive by four people knowledgeable about it, with vast quantities of data taken.
The hack targeted information such as geological maps and drilling records, as well as far-flung data from the company’s worldwide network going back at least a year, that could impact sensitive deals, according to one of the people who worked on cleaning up the intrusion.
Despite the scope of the breach, it was kept under wraps inside the company, according to three of the people. Most of the company’s information-technology staff weren’t told about the intrusion, according to one of the people, who described how colleagues at adjacent desks had no clue anything was wrong.
Since the end of 2010, Reading, U.K.-based BG Group has included for investors a one-sentence risk factor in its regulatory filings: “Information security breaches may also result in the loss of BG Group’s commercially sensitive data.”
BG Group spokesman Mark Todd said he wouldn’t respond to “rumor and speculation, or upon media stories based on anonymous sources.”
The company “has robust security measures across its business to protect its information technology,” he said in an e-mailed statement. “BG Group fully complies with all relevant market disclosure guidelines and regulatory requirements. When we have something material to announce, we do so via the established disclosure channels.”
Companies listed on the London Stock Exchange are under rules, similar to those in the U.S., to disclose to investors anything that will have a material impact on the company’s financial situation, says Chris Hamilton, a spokesman for the Financial Services Authority, the U.K. financial watchdog.
800 Million Pounds
In one case, officials estimated the cost of lost data from a British company while concealing the firm’s identity from the public. Jonathan Evans, head of Britain’s MI5 domestic security service, said in a speech in June that digital intruders targeting a “major London listed company” had caused a loss of 800 million pounds ($1.3 billion), in part because of the resulting disadvantage in “contractual negotiations.”
Investor advocates are trying to prod companies into publicly disclosing the breaches, even if they can’t estimate their cost. If information worth a few million dollars is compromised, the same security weaknesses could be exploited to steal data worth hundreds of millions of dollars, says Michael Connor, executive director of Open MIC, a New York-based non-profit that focuses on media policies and supports shareholder activists.
“The extreme reaction of not talking about it at all seems to me not very productive, particularly if you have whole industries that are being attacked,” says Connor.
To gain access to confidential deal information, hackers often target links in a chain of outside organizations that handle such information on the company’s behalf, such as banks and law firms. China-based cyberthieves, for instance, hacked into the computer networks of seven law firms in 2010 to get more information about BHP Billiton Ltd.’s ultimately unsuccessful $40 billion bid to acquire Canadian company Potash Corp. of Saskatchewan, Inc., Bloomberg reported in January.
Intruders took a similar approach last year in a breach that ultimately targeted Chesapeake Energy, the second-largest U.S. natural gas producer, according to a person familiar with the situation and computer logs viewed by Bloomberg News. The logs indicate that Comment group obtained information about Chesapeake’s efforts to sell natural-gas leases by hacking into an office of Jefferies Group Inc., which is advising on the sales.
At just after noon on Sept. 22, 2011, the logs show, hackers gained access to the computer system of Kyle Guidry, an investment banker in Houston who handles energy deals for New York-based Jefferies. The intruders rooted around in Guidry’s system for about three hours, departing at 3:17 p.m. local time. Among the files they took were those titled “CHK Mississippian,” “CHK Utica JV Utica,” “Sinopec CA - Executed.docx” and “General - China SHG\deals\STA.”
Chesapeake, whose ticker on the New York Stock Exchange is CHK, was in the midst of selling stakes in the Utica shale deposit in Ohio at the time, and is still trying to find buyers for assets in the Mississippi Lime in Kansas and Oklahoma.
Neither Chesapeake nor Jefferies disclosed the hack to shareholders.
Chinese energy companies have been on an energy buying spree in the U.S. and Canada. Fu Chengyu, chairman of China Petroleum & Chemical Corp., or Sinopec, said in May the company has held talks with Chesapeake and others about shale investments.
Lv Dapeng, a Sinopec spokesman, didn’t respond to phone calls seeking comment.
A Chesapeake spokesman, Jim Gipson, didn’t reply to requests for comment. The company hasn’t publicly disclosed any loss of deal information, nor does it list data breaches as a risk-factor in SEC filings.
“Information security is a high priority at Jefferies and we make all appropriate effort to safeguard client information,” says Richard Khaleel, a spokesman for Jefferies.
Kyle Guidry declined to comment.
In its most recent annual report, Jefferies warned investors of a hypothetical risk: “Our computer systems, software and networks may be vulnerable to unauthorized access, computer viruses or other malicious code,” which could jeopardize clients’ confidential information.
Records show that cyber intruders also have managed to penetrate the computers of top dealmakers.
In July 2011, Comment group rifled through the computer networks of ArcelorMittal, according to computer logs compiled by researchers tracking the hackers.
Among their targets: Sudhir Maheshwari, the executive in charge of corporate finance, and mergers and acquisitions for the world’s largest steel maker.
The logs show Comment intruders broke into Maheshwari’s computer on July 14, 2011, at 12:08 p.m. Eastern Standard Time. Once inside, they searched through a folder called “China.” After examining a draft version of a PowerPoint presentation Maheshwari gave at a JPMorgan Chase & Co. conference in Beijing the month before, the hackers zipped up, encrypted and downloaded all the PowerPoints, the logs show.
The intruders then bundled up his e-mail messages from June 22 to July 14, 2011. A security researcher who analyzed the logs says he assumes that the e-mails were downloaded, though the log files don’t confirm that. He requested anonymity because he was discussing confidential material.
While confirming that a breach occurred last year on Maheshwari’s laptop, Giles Read, an ArcelorMittal spokesman, says an internal investigation found it was not a widespread compromise of the computer networks and the company believes a firewall prevented documents from being removed. In addition, it conducted a review of the targeted e-mails and documents and determined that none of them contained highly sensitive information, Read says.
ArcelorMittal, which trades in Amsterdam, has never publicly disclosed a serious breach of its computer networks. In February, the steelmaker began referencing the possibility of such a threat in its regulatory filings. The warning wasn’t instigated by any particular breach, Read says.
“An increasing number of companies, including ArcelorMittal, have recently experienced intrusion attempts or even breaches of their information technology security,” says the annual report. Such an incident could allow hackers to “misappropriate confidential information, cause interruptions in the company’s operations, damage its computers or otherwise damage its reputation,” it says.
Hackers showed similar prowess in penetrating the networks of Coca-Cola.
In 2008, shareholders of Huiyuan, the biggest fruit and vegetable juice company in China, hired Goldman Sachs to find a buyer for the company. After months of due diligence, Atlanta-based Coca-Cola made the highest offer at $2.4 billion. The deal was publicly announced on Sept. 3, 2008, pending approval from China’s Ministry of Commerce.
Two weeks later, Paul Etchells, then the deputy president of Coca-Cola’s Pacific Group, met with U.S. officials from the American Embassy in Beijing and expressed confidence that the deal would clear China’s internal antitrust review, according to a U.S. State Department cable published by Wikileaks.
Over the next six months, Coca-Cola supplied written information to China’s Ministry of Commerce on 12 occasions and interacted a further 18 times with China’s regulators, according to another State Department cable released by Wikileaks.
Amid this review, the company learned that its computer systems had been breached and sensitive deal information taken from the computer account of Etchells on March 3, 2009, according to the internal report on the attack.
The investigation traced the breach back to an e-mail that appeared in Etchells’s in-box on Feb. 16, 2009, according to the report.
The message contained the subject line “Save power is save money! (from CEO)” and appeared to come from the work e-mail account of Bernhard Goepelt, at the time a legal executive in the company’s Pacific Group and today, senior vice president and general counsel.
Coca-Cola’s brass had been striving to meet company-wide energy reduction targets. The body of the e-mail contained a link to a file that purported to contain a message from the chief executive officer.
When Etchells clicked on the link, malware was surreptitiously loaded onto his machine, giving hackers full access to Etchells’s computer via the Internet, according to the internal report. They installed a keystroke logger, which captured everything the executive typed.
Once in control of the computer, the hackers installed various other programs, gaining access to the company’s corporate network and using Etchells’s machine as a staging point to store and download data taken from other computers.
Etchells, who left Coca-Cola in 2010, didn’t reply to requests for an interview.
Shortly after Etchells’s computer was compromised, hackers targeted other Coca-Cola executives in the region. On March 13, 2009, a disguised malicious e-mail was sent to Brenda Lee, a public affairs executive in China. The message appeared to be a media advisory from the Beijing office of the World Bank. When Lee opened the attached PDF file, however, malware exploited a vulnerability in Adobe Reader software and gave hackers access to her machine, according to the report.
Hackers installed a keystroke logger and sought out e-mails related to the Huiyuan deal, forwarding them to a Gmail account whose owner couldn’t be identified, the report said.
Lee, who left Coca-Cola in 2011, declined to comment.
On March 18, 2009, just five days after the malicious e-mail landed in Brenda Lee’s inbox and one month after Etchells’s machine was compromised, the Chinese Ministry of Commerce rejected Coca-Cola’s acquisition citing antitrust grounds.
Coca-Cola issued a statement that day saying it respected the Ministry’s decision and wouldn’t appeal. Huiyuan remains an independent company and Coca-Cola hasn’t inked a major acquisition in China.
Coca-Cola has never publicly disclosed the loss of information related to the Huiyuan transaction, according to a review of its regulatory filings. Its 2011 annual report warns investors that the company “may suffer financial and reputational damage because of lost or misappropriated confidential information.”
“Like most major corporations, the company’s information systems are a target of attacks,” the report states.
Simply telling investors that there may be a cyberattack isn’t enough, risk-management experts say. If Coca-Cola knew that sensitive information pertaining to the Huiyuan deal had been taken, investors should know it wasn’t secure, even if it isn’t clear how that information was ultimately used, says Olcott, of Good Harbor Consulting.
“Investors have an expectation that companies are disclosing everything they should,” says Olcott. “The reality is this widespread trade-secret theft matters to investors. It has an impact on a company’s future competitiveness, which affects the bottom line.”
To contact the reporters on this story: Ben Elgin in San Francisco at email@example.com; Dune Lawrence in New York at firstname.lastname@example.org; Michael Riley in Washington at email@example.com