Five months after Google was hit by hackers looking to steal its secrets, technology companies are increasingly warning their shareholders that they may be materially affected by hacking attempts designed to take valuable intellectual property.
In the past few months Google, Intel, Symantec and Northrop Grumman - all companies thought to have been targets of a widespread spying operation - have added new warnings to their US Securities and Exchange Commission filings informing investors of the risks of computer attacks.
Google doesn't talk about the specific attack against its systems, but it now warns shareholders that this type of event is a material risk.
"[O]utside parties may attempt to fraudulently induce employees, users, or customers to disclose sensitive information in order to gain access to our data or our users' or customers' data," Google wrote in a section added to its annual financial report in February, a month after it disclosed the hacking incident.
Google warned that it could lose customers following a breach, as users question the effectiveness of its security. "Because the techniques used to obtain unauthorised access, disable or degrade service, or sabotage systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures," the company said in the filing.
Google's admission that it had been targeted put a public spotlight on a problem that had been growing for years: targeted attacks, known to security professionals as the advanced persistent threat (APT). These attacks are often successful because they are low-volume, fly under the radar of most security companies and are extremely targeted. In many APT attacks, the victim is sent an interesting-looking document or a link to a website that contains attack code. If the victim's software isn't up-to-date (Google is thought to have been compromised via a bug in Internet Explorer 6), the criminals break into the computer, gaining a foothold in the company.
In February, Intel disclosed in an SEC filing that it had been targeted by a similar attack in January, and warned investors that the theft of its trade secrets could hurt its bottom line.
Last year, Heartland Payment Systems was sued by shareholders for failing to disclose that the company had been hit by a December 2007 SQL injection attack. Plaintiffs argued that the company should have disclosed the incident in SEC filings and in calls with financial analysts. The December incident was eventually linked to the largest data breach in US history, and Heartland's stock dropped nearly 80 percent when the company finally disclosed the full extent of the attack in January 2009. Heartland shareholders ultimately lost this lawsuit, however.
Nevertheless, companies are still working out how - and even if - they must disclose hacking incidents in their financial filings, said Rob Lee, a director with Mandiant, a cyberforensics company often called in to investigate breaches. "They've never encountered this before, so there are no strict rules for how IP theft or data breach events are supposed to be accounted for," he said. "It may change, but there's no strict rule."
In a May 24 SEC filing, Symantec added extra warnings to the section of its annual report talking about the disruptions that hacking could cause, saying, "the theft and/or unauthorised use or publication of our trade secrets and other confidential business information as a result of such an event could adversely affect our competitive position, reputation, brand and future sales of our products."
A company spokesman said that Symantec reviews its risk factors on a regular basis.
Other technology companies - IBM, HP and Juniper Networks, for example - included this type of warning even before Google went public with news of its attack.
It seems that more companies are now adding these risk disclosures about hacking, in part as insurance against possible lawsuits, said Sam Dibble, a partner in the business transactions group at Farella Braun & Martel, a San Francisco law firm.
No company wants to be the one that neglects to warn of a risk that everyone else can see, he said. "There's a follow-the-leader element to it," he said. "Once it starts popping up in your competitors' filings, people start saying, 'Why aren't we doing this?'"