SAN FRANCISCO Feb 2 At least a half-dozen
major U.S. companies whose computers have been infiltrated by
cyber criminals or international spies have not admitted to the
incidents despite new guidance from securities regulators urging
such disclosures.
Top U.S. cybersecurity officials believe corporate hacking
is widespread, and the Securities and Exchange Commission issued
a lengthy “guidance” document on Oct. 13 outlining how and when
publicly traded companies should report hacking incidents and
But with one full quarter having elapsed since the SEC
request, some major companies that are known to have had
significant digital security breaches have said nothing about
the incidents in their regulatory filings.
Defense contractor Lockheed Martin Corp (LMT.N), for
example, said last May that it had fended off a “significant and
tenacious” cyber attack on its networks. But Lockheed’s most
recent 10-Q quarterly filing, like its filing for the period
that included the attack, does not even list hacking as a
generic risk, let alone state that it has been targeted.
A Reuters review of more than 2,000 filings since the SEC
guidance found some companies, including Internet infrastructure
company VeriSign Inc (VRSN.O) and credit card and debit card
transaction processor VeriFone Systems Inc (PAY.N), revealed
significant new information about hacking incidents.
Yet the vast majority of companies addressing the issue only
used new boilerplate language to describe a general risk. Some
hacking victims did not even do that.
"It’s completely confusing to me why companies aren’t
reporting cyber risks” if only to avoid SEC enforcement or
private lawsuits, said Jacob Olcott, former counsel for the
Senate Commerce committee. The chair of that committee, John D.
Rockefeller, urged the SEC to act last year.
Stewart Baker, a corporate attorney and former assistant
secretary of the Department of Homeland Security, said the SEC
guidance was detailed enough that companies that know they have
been hacked will "have to work pretty hard not to disclose
something about the scope and risk of the intrusion."
Otherwise, "this is an opportunity for enforcement that
practically hands the case to the SEC on a platter," Baker said.
Lockheed spokesman Chris Williams said hacking was covered
under the company’s most recent annual securities filing, which
has as one of many risk factors “security threats, including
threats to our information technology infrastructure, attempts
to gain access to our proprietary or classified information,
threats to physical security of our facilities and employees,
and terrorist acts.”
Williams said the May attack had “no material effect on our
business.”
Mantech International Corp (MANT.O), CACI International Inc
(CACI.N) and other defense and technology firms that have been
reported by security researchers as hacking victims were
likewise silent in their most recent filings. Neither Mantech
nor CACI responded to interview requests.
“It’s common knowledge” that most large defense contractors
have been penetrated, said Olcott.
Sikorsky Aircraft, mindful of a strict New Hampshire law
warning individuals at risk of identity theft, wrote to that
state’s attorney general in August that hackers had gotten into
its system and could have accessed Social Security numbers of 55
employees who lived in the state.
Sikorsky said the employee data likely was not the hackers’
target, which suggests that they might have been after designs
or other trade secrets. But Sikorsky parent United Technologies
Corp (UTX.N) did not mention the May intrusion in subsequent SEC
filings.
“Like other companies, our businesses are subject to
(information technology) security attacks at times. We monitor
systems and cooperate closely with the government when
appropriate,” said United Technologies spokesman John Moran.
DEARTH OF CONFESSIONS
Melissa Hathaway, a former intelligence official who led
U.S. President Barack Obama’s initial cybersecurity policy
review and helped push the SEC to enact a disclosure policy,
said she was “surprised” at the dearth of new confessions.
“The SEC division of corporate finance has an obligation to
ask these companies why they didn’t disclose,” she said. “We
need to have transparency on the state of the situation, and we
need to have a national conversation regarding the near-term
impact of economic espionage and the long-term health of the
nation.”
The SEC declined to comment. The agency's guidance
officially clarifies previous policy instead of establishing a
new rule, a process that takes longer and requires a vote of the
commissioners. A person close to the agency said it expects
fuller disclosures in annual 10-K filings that will begin
appearing in volume this month.
Cybersecurity has been an increasing concern in Washington,
and Obama asked during his State of the Union speech for action
on legislative proposals. Security experts believe hackers are
frequently targeting valuable digital information including
strategic plans, blueprints and secret formulas.
But security experts in and out of government have
complained for years that most companies don't disclose even
very successful hacking attacks, because they never find out
about them or simply don't want to spook investors, customers or
business partners.
The U.S. National Counterintelligence Executive, in a
landmark November report that openly accused China of sponsoring
military and economic cyber espionage, said that it is hard for
companies to estimate the impact of losses that might not be
apparent for years.
One Pentagon contractor that did go into some detail
recently about the threat was Northrop Grumman Corp (NOC.N),
which warned: “Cybersecurity attacks in particular are evolving
and include, but are not limited to, malicious software,
attempts to gain unauthorized access to data, and other
electronic security breaches that could lead to disruptions in
mission critical systems, unauthorized release of confidential
or otherwise protected information and corruption of data. These
events could damage our reputation and lead to financial losses
from remedial actions, loss of business or potential liability.”
A few technology companies gave even more specific warnings,
including Juniper Networks Inc (JNPR.N), which makes gear for
routing Internet traffic, and chip-maker Intel Corp (INTC.O).
Intel had been one of the few to disclose a successful breach in
the past, along with Google Inc (GOOG.O), which has complained
of attacks originating in China.
In a November filing, Intel repeated that hackers had gotten
inside and warned that “the theft or unauthorized use or
publication of our trade secrets and other confidential business
information as a result of such an incident could adversely
affect our competitive position and reduce marketplace
acceptance of our products.”
Some companies asserted that they had not been hacked, or at
least averred that they had not been subject to a “material” or
“catastrophic” intrusion.
Others confessed to breaches for the first time, including
VeriSign and VeriFone Systems, which said it had experienced
“security breaches or fraudulent activities related to
unauthorized access to sensitive customer information.”
The company did not respond to requests for elaboration.
Point-of-sale terminals including VeriFone’s models are popular
targets for criminal hackers, who can tamper with them in order
to record passwords and card numbers.
VeriFone has been reported as a supplier of machines to
Michaels Stores Inc [MCHST.UL], a retail chain of hobbyist
stores that had to replace more than 7,000 terminals last year
after discovering tampering in 20 states.
Two other companies said they disclosed breaches because of
the SEC guidance. Tumi Holdings, the luggage maker that is
pursuing an initial public offering, said in a stock prospectus
that security systems in some of its retail stores had been
compromised in the past.
In an interview, Tumi Chief Financial Officer Michael Mardy
said there had been no theft of a database or other massive
breach. Instead, he said there had been occasions where store
employees had conspired with outsiders on a small scale, for
example by giving refunds to people who had not made purchases.
“We felt it was necessary to list as a risk factor because
it actually is a risk factor,” Mardy said.
University of Phoenix parent Apollo Group Inc APOL.O,
which in the past had noted attempted breaches, for the first
time said some attempts had succeeded.
“We are facing an increasing number of threats to our
computer systems of unauthorized access, computer hackers,
computer viruses, malicious code, organized cyber attacks and
other system disruptions and security breaches, and from time to
time we experience such disruptions and breaches,” it wrote in a
10-Q.
Apollo spokesman Rick Castellano declined to say how
extensive the breaches had been. “Cybersecurity is an area of
growing area of concern for all companies”, Castellano said. “We
devote significant resources to manage any potential threat.”
