The December 2022 issue of IEEE Spectrum is here!

Close bar

Coca-Cola Disrespects Its Investors By Not Telling Them About Massive 2009 Computer Breach

Company executives didn’t know IT systems were compromised until FBI told them

2 min read
Coca-Cola Disrespects Its Investors By Not Telling Them About Massive 2009 Computer Breach

I wonder whether there are grounds for a shareholder lawsuit against Coca-Cola, the largest soft-drink maker in the world, for not informing its shareholders about a massive penetration of its IT systems back in early 2009 that may have scuppered its $2.4-billion bid for China Huiyuan Juice Group (1886).

According to a story broken by Bloomberg News on Sunday, Coca-Cola’s computer systems were penetrated most likely on the 16 February 2009 by cybercriminals employing phishing emails targeting Coca-Cola executives. Once inside Coca-Cola’s network, the thieves were in an envious position, “from pilfering internal e-mails to gaining the ability to access almost any Microsoft (MSFT) Windows server, work station or laptop on the network with full remote control,” the Bloomberg story states.

The article, which Bloomberg states is based on information from “three people familiar with the situation and an internal company document detailing the cyber intrusion,” says that for over a month the thieves were able to roam freely throughout Coca-Cola’s networks undetected. The thieves “uploaded a dozen tools allowing them to steal e-mails and documents, installed a keystroke logger on the machine of a top executive in Hong Kong, and stole computer account passwords for other Coca-Cola employees, including those with administrative powers, to help them move freely across the company’s network,” the story goes to state.

Apparently the cyber thieves, which the internal Coca-Cola intrusion report says were “state-sponsored,” wanted to find out everything involving Coca-Cola’s planned acquisition of China Huiyuan Juice Group, which at the time would have been the largest foreign takeover of a Chinese firm.  On the 15 March 2009, the FBI informed Coca-Cola’s very surprised executives that the company’s network had been compromised. How the FBI discovered the breach was not disclosed. Three days later, Coca-Cola’s acquisition was rejected by the Chinese Ministry of Commerce for failing to meet the country's anti-monopoly law.

Neither Coca-Cola nor the FBI cared to comment about the security incident, nor its possible effect on the acquisition. Coca-Cola also didn’t care to comment about why it didn’t tell shareholders about the breach, other than to state that, “We make disclosures in our public filings when we believe they are appropriate and in accordance with the requirements of the federal securities laws.” The Chinese Ministry of Commerce didn’t want to comment about the incident either.

Coca-Cola is not alone in deciding that its shareholders don’t need to know that their IT security systems have been compromised either. The Bloomberg story noted that the publicly-traded companies Chesapeake Energy (the second-largest producer of natural gas in the United States), ArcelorMittal (the world’s leading steel and mining company), and the BG Group (a major global energy company) all have suffered cyber-intrusions that they deemed to be of no interest to their shareholders.

In the case of Chesapeake Energy, Bloomberg reports that the company doesn’t even list data-breaches as being a corporate risk in its filings to the U.S. Security and Exchange Commission (SEC). I guess company executives don’t consider any of its private corporate information to be of any value. Maybe the company's shareholders should take notice.

In fact, maybe all disrespected shareholders of companies with similar attitudes should start taking notice.

The Conversation (0)

Why the Internet Needs the InterPlanetary File System

Peer-to-peer file sharing would make the Internet far more efficient

12 min read
An illustration of a series
Carl De Torres

When the COVID-19 pandemic erupted in early 2020, the world made an unprecedented shift to remote work. As a precaution, some Internet providers scaled back service levels temporarily, although that probably wasn’t necessary for countries in Asia, Europe, and North America, which were generally able to cope with the surge in demand caused by people teleworking (and binge-watching Netflix). That’s because most of their networks were overprovisioned, with more capacity than they usually need. But in countries without the same level of investment in network infrastructure, the picture was less rosy: Internet service providers (ISPs) in South Africa and Venezuela, for instance, reported significant strain.

But is overprovisioning the only way to ensure resilience? We don’t think so. To understand the alternative approach we’re championing, though, you first need to recall how the Internet works.

Keep Reading ↓Show less