Big DataData StorageSecurityWorkspace

Why Coca-Cola Should Have Admitted It Was Hacked

Tom Brewster is TechWeek Europe’s Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Coca-Cola was reportedly hacked in 2009 and is still keeping quiet about it. Such reticence hurts all of us, says Tom Brewster

Burying bad news is one of the oldest tricks in the corporate book. Private businesses are often guilty of it. They don’t want anything to upset their share price and they don’t want to appear vulnerable. The economy is built on confidence after all.

So hiding hacks is something commonplace amongst businesses across the world. And it doesn’t seem to be too difficult to pull off. Coca-Cola is just one of many firms, uncovered by Bloomberg, that appears to have kept schtum about breaches of their networks and theft of their data.

British energy group BG Group and US natural gas firm Chesapeake Energy were also victims to serious cyber attacks in the last two years, according to the report. And important data allegedly went missing in all three cases.Coca Cola Shutterstock - © Pan Xunbin

In the case of BG, geological maps and drilling records were stolen, amongst other data that could have affected “sensitive deals”, according to the financial news agency. As for Coca-Cola, a spear phishing attack saw files on the company’s attempts to buy China Huiyuan Juice Group exfiltrated. Attackers, believed to be Chinese in origin, remained on the network for a month, according to the report. They also uploaded malware and stole admin passwords.

Despite the ostensibly serious nature of the attacks, they have only now been brought to light, years after they allegedly took place. And the companies continue to remain reticent to the press.

“We do not comment on rumour and speculation, or upon media stories based on anonymous sources,” BG told TechWeekEurope. “We continually review security measures and update them if and where we need to, but we do not discuss details of the arrangements we have in place.”

A Coca-Cola spokesperson told Bloomberg the company would not discuss “security matters.” He added: “We make disclosures in our public filings when we believe they are appropriate and in accordance with the requirements of the federal securities laws.”

Is it bad?

The question these cases raise is this: is keeping quiet on data breaches a bad thing? From the affected companies’ perspectives, no. Hacks can hurt stock prices, which are partly determined by shareholder conference. In the case of Sony, the PlayStation Network (PSN) breach of 2011 contributed to a serious decline in stock price.

Then there’s the money they are forced into parting with after a hack. Going back to the Sony case, not only did they take a hit in handing out compensation to affected customers, they had to shore up their security practices in earnest. Then there are the legal fees in fighting off litigation from disgruntled PSN members. They even had to employ the company’s first CISO. The total cost of all this? At least $171 million.

For those two financial reasons, businesses are loath to release information on security incidents. They also worry that by revealing anything about how they protect infrastructure, they will open themselves up to more attacks.

But businesses are often guilty of short-term thinking when it comes to security. They don’t recognise that transparency can be beneficial in the long-term.

First off, they fail to understand that honesty can improve shareholder relationships, even if they reveal bad news. Shareholders hate finding out they have been lied to and might well take back their investments when they eventually learn of a buried incident. The same goes for customers, who should really be first on a business’ list of priorities anyway.

More importantly, victims’ experiences could help all businesses, and their customers, benefit from better security in the future. That includes partner companies too. Given how key keeping supply chains secure has become, businesses would be better off if they shared intelligence.

By revealing information on threats and breaches, as well as best practices for security from both technological and process points of view, companies will get better at protecting themselves. They will have a far better understanding of what malware to look out for, what systems to update and what the most effective security stacks are for different verticals, or for specific projects. All of this can be fed into Big Data-ready software, such as SIEM (security information and events management) products, where IT teams can make sense of the masses of information coming their way. It just makes sense.

trust security - Shutterstock: © LightspringThis open approach will be anathema to many organisations, especially those particularly paranoid about competition, but as long as they share the right data, they can collaborate effectively. As Art Coviello, head of security giant RSA, said earlier this year, when one of us gets hit, we all get hit. By the same token, if one of us is better secured – and shares the knowledge – we are all better secured. If companies accepted this ideology as gospel, sharing data wouldn’t be a bugbear, it would be a marvellous business opportunity.

Message deleted

Sadly, that message hasn’t gotten through to businesses yet. Just look at the UK, where we hear about public sector breaches on an almost monthly basis but hear very little from the private sector.

Recent reports have revealed public sector bodies have handed over £2 million in monetary penalties to the government. Comparative private sector fines amount to around five percent of that figure. That means we hear a lot more about breaches at NHS trusts and local councils than at financial institutions or retailers.

This trend has emerged largely because public bodies are required to confess to breaches. Private bodies, faced only with gentle nudges from the ICO, are still permitted to keep quiet. And that’s exactly what they do in the majority of cases.

Things aren’t much better in the US, where the Securities and Exchange Commission requires firms to report any material losses from attacks, but according to Jacob Olcott, a former cyber policy adviser to the US Congress, “investors have no idea what is happening today”. “Companies currently provide little information about material events that occur on their networks,” he says.

We shouldn’t expect private businesses to take a leap of faith and become more open on data breaches any time soon. In a world where businesses are beholden to their shareholders, and where talking about security events remains an unnecessary, harmful taboo, silence is still golden. And yet we all suffer because of it.

What happens when IT goes to the movies? Try our quiz and find out!