Some Victims of Online Hacking Edge Into the Light
SAN FRANCISCO — Hackers have hit thousands of American corporations in the last few years, but few companies ever publicly admit it. Most treat online attacks as a dirty secret best kept from customers, shareholders and competitors, lest the disclosure sink their stock price and tarnish them as hapless.
Rarely have companies broken that silence, usually when the attack is reported by someone else. But in the last few weeks more companies have stepped forward. Twitter, Facebook, and Apple have all announced that they were attacked by sophisticated cybercriminals. The New York Times revealed its experience with hackers in a front-page article last month.
The admissions reflect the new way some companies are calculating the risks and benefits of going public. While companies once feared shareholder lawsuits and the ire of the Chinese government, some can't help noticing that those that make the disclosures are lauded, as Google was, for their bravery. Some fear the embarrassment of being unable to fend off hackers who may still be in high school.
(Read More: It's Absurd Only China Gets Caught for Hacking)
But as hacking revelations become more common, the threat of looking foolish fades and more companies are seizing the opportunity to take the leap in a crowd.
"There is a 'hide in the noise' effect right now," said Alan Paller, director of research at the SANS Institute, a nonprofit security research and education organization. "This is a particularly good time to get out the fact that you got hacked, because if you are one of many, it discounts the starkness of the announcement."
In 2010, when Google alerted some users of Gmail — political activists, mostly — that it appeared Chinese hackers were trying to read their mail, such disclosures were a rarity. In its announcement, Google said that it was one of many — two dozen — companies that had been targeted by the same group. Google said it was making the announcement, in part, to encourage other companies to open up about the problem.
But of that group, only Intel and Adobe Systems reluctantly stepped forward, and neither provided much detail.
(Read More: Hackers Doing No Favors for China's Image)
Twitter admitted that it had been hacked this month. Facebook and Apple followed suit two weeks later. Within hours after The Times published its account, The Wall Street Journal chimed in with a report that it, too, had been attacked by what it believed to be Chinese hackers. The Washington Post followed.
Not everyone took advantage of the cover. Bloomberg, for example, has repeatedly denied that its systems were also breached by Chinese hackers, despite several sources that confirmed that its computers were infected with malware.
Computer security experts estimate that more than a thousand companies have been attacked recently. In 2011, security researchers at McAfee unearthed a vast online espionage campaign, called Operation Shady Rat, that found more than 70 organizations had been hit over a five-year period, many in the United States.
"I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly) with the great majority of the victims rarely discovering the intrusion or its impact," Dmitri Alperovitch, then McAfee's vice president for threat research, wrote in his findings.
"In fact," said Mr. Alperovitch, now the chief technology officer at Crowdstrike, a security start-up, "I divide the entire set of Fortune Global 2000 firms into two categories: those that know they've been compromised and those that don't yet know."
Of that group, there are still few admissions. A majority of companies that have at one time or another been the subject of news reports of online attacks refuse to confirm them. The list includes the International Olympic Committee, Exxon Mobil, Baker Hughes, Royal Dutch Shell, BP, ConocoPhillips,Chesapeake Energy, the British energy giant BG Group, the steel maker ArcelorMittal and Coca-Cola.
(Read More: New China Hack Attack an 'Act of War': Blodget)
Like Google, some companies have stepped forward in the interest of increasing awareness and improving security within their respective industries, often to little avail. In 2009, Heartland Payment Systems, a major payment processing company, took the unusual step of disclosing a major data breach on its systems that potentially exposed millions of credit and debit card customers to fraud. It did so against the advice of its lawyers.
"Until then, most people tried to sweep breaches under the rug," said Steve Elefant, then Heartland's chief information officer. "We wanted to make sure that it didn't happen to us again and didn't want to sit back while the bad guys tried to pick us off one by one."
Heartland helped set up the Payments Processors Information Sharing Council to share information about security threats and breaches within the industry. Again, the company's lawyers thought it was a bad idea, "but we felt it was important."
The effort did not stop its other members from sweeping their own breaches under the rug. Last year, Global Payments, a major payment processor, did not disclose that it had been the victim of two major breaches that potentially affected millions of accounts, until the attacks were reported by a well-known security blogger. Even then, it did not offer details that other companies could use to fortify their systems. Last week, President Obama signed an executive order that encouraged increased information-sharing about online threats between the government and private companies. But compliance with the order is voluntary, a weakened alternative to an online security bill that stalled in Congress last year after the Chamber of Commerce, a lobbying group that itself was hacked, led an effort to block it, saying that the regulations would be too burdensome.
In Washington on Wednesday, several senior administration officials presented a new strategy for protecting American intellectual property by urging firms to step forward when attacked.
"There has been a reluctance by companies to come forward because of the concern about the impact on their shareholders or others," said Lanny A. Breuer, the assistant attorney general in charge of the criminal division of the Justice Department.
In October 2011, the Securities and Exchange Commission issued a new guidance that specifically outlined how publicly traded companies should disclose online attacks, but few disclosures have come because of it.
"Quite frankly, since then, there hasn't been an abundance of reporting on cyberevents despite the fact that they are clearly happening," said Jacob Olcott, a specialist in online risks who managed a Senate investigation into the disclosure practices.
The best hope, Mr. Olcott said, is that as investors start paying more attention to the threats, they will demand that companies disclose them. "I wouldn't hold my breath," Mr. Elefant said. "There are an awful lot of lawyers out there trying to keep companies from exposing that these breaches are happening. And they are happening."
—David E. Sanger contributed reporting from Washington.