I wonder whether there are grounds for a shareholder lawsuit against Coca-Cola, the largest soft-drink maker in the world, for not informing its shareholders about a massive penetration of its IT systems back in early 2009 that may have scuppered its $2.4-billion bid for China Huiyuan Juice Group (1886).
According to a story broken by Bloomberg News on Sunday, Coca-Cola’s computer systems were penetrated most likely on the 16 February 2009 by cybercriminals employing phishing emails targeting Coca-Cola executives. Once inside Coca-Cola’s network, the thieves were in an envious position, “from pilfering internal e-mails to gaining the ability to access almost any Microsoft (MSFT) Windows server, work station or laptop on the network with full remote control,” the Bloomberg story states.
The article, which Bloomberg states is based on information from “three people familiar with the situation and an internal company document detailing the cyber intrusion,” says that for over a month the thieves were able to roam freely throughout Coca-Cola’s networks undetected. The thieves “uploaded a dozen tools allowing them to steal e-mails and documents, installed a keystroke logger on the machine of a top executive in Hong Kong, and stole computer account passwords for other Coca-Cola employees, including those with administrative powers, to help them move freely across the company’s network,” the story goes to state.
Apparently the cyber thieves, which the internal Coca-Cola intrusion report says were “state-sponsored,” wanted to find out everything involving Coca-Cola’s planned acquisition of China Huiyuan Juice Group, which at the time would have been the largest foreign takeover of a Chinese firm. On the 15 March 2009, the FBI informed Coca-Cola’s very surprised executives that the company’s network had been compromised. How the FBI discovered the breach was not disclosed. Three days later, Coca-Cola’s acquisition was rejected by the Chinese Ministry of Commerce for failing to meet the country's anti-monopoly law.
Neither Coca-Cola nor the FBI cared to comment about the security incident, nor its possible effect on the acquisition. Coca-Cola also didn’t care to comment about why it didn’t tell shareholders about the breach, other than to state that, “We make disclosures in our public filings when we believe they are appropriate and in accordance with the requirements of the federal securities laws.” The Chinese Ministry of Commerce didn’t want to comment about the incident either.
Coca-Cola is not alone in deciding that its shareholders don’t need to know that their IT security systems have been compromised either. The Bloomberg story noted that the publicly-traded companies Chesapeake Energy (the second-largest producer of natural gas in the United States), ArcelorMittal (the world’s leading steel and mining company), and the BG Group (a major global energy company) all have suffered cyber-intrusions that they deemed to be of no interest to their shareholders.
In the case of Chesapeake Energy, Bloomberg reports that the company doesn’t even list data-breaches as being a corporate risk in its filings to the U.S. Security and Exchange Commission (SEC). I guess company executives don’t consider any of its private corporate information to be of any value. Maybe the company's shareholders should take notice.
In fact, maybe all disrespected shareholders of companies with similar attitudes should start taking notice.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.