SAN FRANCISCO — Hackers have hit thousands of U.S. corporations in the past few years, but few companies ever publicly admit it. Most treat online attacks as a dirty secret best kept from customers, shareholders and competitors for fear that disclosure will sink their stock price and tarnish them as hapless.
Only on rare occasions do companies break that silence, usually when the attack is reported by someone else. But in the past few weeks more companies have stepped forward. Twitter, Facebook and Apple have all announced that they were attacked by sophisticated cyber-criminals. The New York Times revealed its experience with hackers in an article last month.
The admissions reflect the new way some companies are calculating the risks and benefits of going public. While once companies feared shareholder lawsuits and the ire of the Chinese government, some cannot help but notice that those that make the disclosures are lauded, as Google was, for their bravery. Some fear the embarrassment of being unable to fend off hackers who are still in high school.
But as hacking revelations become more common, the threat of looking foolish fades and more companies are seizing the opportunity to take the leap in a crowd.
“There is a ‘hide in the noise’ effect right now,” said Alan Paller, director of research at the SANS Institute, a nonprofit cyber-research and education organization. “This is a particularly good time to get out the fact that you got hacked, because if you are one of many, it discounts the starkness of the announcement.”
In 2010, when Google alerted some users of Gmail - political activists, mostly - that it appeared Chinese hackers were attempting to read their mail, such disclosures were a rarity.
In its announcement, Google said that it was one of many - two dozen - companies that had been targeted by the same group. Google said it was making the announcement, in part, to encourage other companies to also open up about the problem.
But of that group, only Intel and Adobe Systems reluctantly stepped forward, and neither provided much detail.
Twitter admitted it had been hacked this month. Facebook and Apple followed suit two weeks later. Within hours after the Times published its account, The Wall Street Journal chimed in with a report that it, too, had been attacked by what it believed to be Chinese hackers. The Washington Post followed.
Not everyone took advantage of the cover. Bloomberg, for example, has repeatedly denied that its systems were also breached by Chinese hackers, despite several sources that confirmed its computers were infected with malware.
Computer security experts estimate that more than 1,000 companies have been attacked recently. In 2011, security researchers at McAfee unearthed a large cyber-espionage campaign, called Operation Shady Rat, that found that more than 70 organizations had been hit with cyber-attacks over a five-year period, many in the United States.
“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly) with the great majority of the victims rarely discovering the intrusion or its impact,” Dmitri Alperovitch, then McAfee’s vice president for threat research, wrote in his findings.
“In fact,” said Alperovitch, now the chief technology officer at Crowdstrike, a security startup, “I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”
The majority of companies that have at one time or another been the subject of news reports of cyber-attacks refuse to confirm them.
The list includes the International Olympic Committee, Exxon Mobil, Baker Hughes, Royal Dutch Shell, BP, Conoco Phillips, Chesapeake Energy, the British energy giant the BG Group, the steel-maker ArcelorMittal and, most recently, Coca-Cola.
Some companies have stepped forward in the interest of increasing awareness and improving security within their respective industries, often to little avail.
In 2009, Heartland Payment Systems, a major payment-processing company, took the unusual step of disclosing a major data breach on its systems that potentially exposed millions of credit and debit-card customers to fraud. It did so despite the best advice of its lawyers.
“Until then, most people tried to sweep breaches under the rug,” said Steve Elefant, then Heartland’s chief information officer. “We wanted to make sure that it didn’t happen to us again and didn’t want to sit back while the bad guys tried to pick us off one by one.”
Heartland helped set up the Payments Processors Information Sharing Council to share information about security threats and breaches within the industry. Again, the company’s lawyers thought it was a bad idea.
“But we felt it was important,” Elefant said.
The effort did not stop other payment-processing companies from sweeping their own breaches under the rug. Last year, Global Payments, a major payment processor, did not disclose that it had been the victim of two major breaches that potentially affected millions of accounts, until it was outed by a well-known security blogger. Even then, it did not offer details that other companies could use to fortify their systems.
Earlier this month, President Barack Obama signed an executive order that encouraged increased information sharing about cyber-threats between the government and private companies. But compliance with the order is voluntary, a weakened alternative to a cyber-security bill that stalled in Congress last year after the Chamber of Commerce, a lobbying group that itself was hacked, led an effort to block it, saying that the regulations would be too burdensome.
In Washington on Wednesday, several senior administration officials presented a new strategy for protecting U.S. intellectual property by urging firms to step forward with cyber-attacks.
“There has been a reluctance by companies to come forward because of the concern about the impact on their shareholders or others,” said Lanny Breuer, the assistant attorney general in charge of the criminal division of the Department of Justice.
In October 2011, the Securities and Exchange Commission issued new guidance that specifically outlined how publicly traded companies should disclose cyber attacks, but few disclosures have come because of it.
“Quite frankly, since then, there hasn’t been an abundance of reporting on cyber events despite the fact that they are clearly happening,” said Jacob Olcott, a cyber risk expert who managed a Senate investigation into the disclosure practices.
The best hope, Olcott said, is that as investors start paying more attention to cyber-threats, they will demand that companies disclose them.
“I wouldn’t hold my breath,” Elefant responded. “There are an awful lot of lawyers out there trying to keep companies from exposing that these breaches are happening. And they are happening.”
Business, Pages 19 on 02/25/2013