Officials at Coca-Cola reportedly hid the fact that the company was victimized in a breach in 2009.
According to Bloomberg News, the FBI approached the company when it learned hackers had stolen sensitive files about the company's $2.4 billion acquisition of China Huiyuan Juice Group, which eventually collapsed. The compromise was reportedly occurred via emails with malicious links that were sent to company executives.
In the first two days of the attack, a dozen tools were uploaded that allowed the theft of emails and documents, as well as the installation of a keystroke logger on the machine of a top executive in Hong Kong. The computer account passwords for other Coke executives were also stolen, allowing the attackers to move across the network more easily.
According to Bloomberg, Coke never publicly disclosed the theft of the Huiyuan information – making it part of a long list of companies that have kept information about attacks secret from shareholders, regulators and others. In 2011, the U.S. Securities and Exchange Commission announced companies would be mandated to report cyber attacks and their impact.
"This is the future of crime; data theft is big business," said Mark Bower, vice president at Voltage Security. "And cases like this continue to raise awareness of the shortcomings of traditional infrastructure security in keeping sensitive data safe – whether that’s confidential client information, intellectual property, or sensitive details about mergers and acquisitions."
A Coca-Cola spokesperson told Bloomberg that it does not comment on security matters, but that the company makes disclosures when it is determined to be appropriate under the law.