FBI officials quietly approached executives at Coca-Cola Co. onMarch 15, 2009, with some startling news.

Hackers had broken into the company's computer systems and werepilfering sensitive files about its attempted $2.4 billionacquisition of China Huiyuan Juice Group, according to three peoplefamiliar with the situation and an internal company documentdetailing the cyber intrusion. The Huiyuan deal, which collapsedthree days later, would have been the largest foreign takeover of aChinese company at the time.

Coca-Cola, the world's largest soft-drink maker, has neverpublicly disclosed the loss of the Huiyuan information, despite itspotential effect on the deal. It is just one in a global barrage ofcorporate computer attacks kept secret from shareholders,regulators, employees — and in some cases even from seniorexecutives.

When hackers last year waged a large-scale attack on BG GroupPlc, raiding troves of sensitive data, the British energy companynever made it public. Luxembourg-based steel maker ArcelorMittalalso kept mum when intruders targeted, among others, its executiveoverseeing China. As did Chesapeake Energy Corp., after cyberattackers made off with files from its investment banking firmabout natural gas leases that were up for sale.

Each of these cases was detailed to Bloomberg News either bypeople involved in remediating the situation or executives briefedon the details, who asked not to be identified because theinformation wasn't public; or in computer logs compiled byresearchers monitoring the activities of hackers in China.

Digital intruders are increasingly targeting information abouthigh-stakes business deals — from mergers and acquisitions to jointventures to long-term supply agreements –and companies routinelyconceal these breaches from the public, say government officialsand security companies.

Such thefts are tilting the playing field, putting compromisedcompanies at a disadvantage in business negotiations and, in turn,leaving investors in the dark, they say.

“Investors have no idea what is happening today,” says JacobOlcott, a former cyber policy adviser to the U.S. Congress.“Companies currently provide little information about materialevents that occur on their networks.”

In the U.S., the Securities and Exchange Commission last yearsaid that companies are required to report any material losses fromsuch attacks, and any information “a reasonable investor wouldconsider important to an investment decision.”

Investors Care

“We don't credit the idea that no one would care,” says MeredithCross, director of the SEC's division of corporation finance. “Wethink reasonable investors could care depending on the specificfacts and circumstances.”

Yet no company has publicly disclosed the theft of sensitivedeal-related information from a computer intrusion, says Olcott, aprincipal at Good Harbor Consulting, an Arlington, Virginia-basedcompany that provides security risk management services.

Many companies worry that such news could batter theirreputation and stock price, according to more than a dozeninformation-security managers.

“They fear that bringing this to the public will do them moreharm than good,” says Michael Oberlaender, who has worked as thetop information-security executive at companies in the U.S. andGermany.

A striking aspect of the wave of corporate hacking is how littleis sometimes known about the information taken, much less who istaking it and how it's being used, say security researchers.

Without complete answers, it can be difficult for companies toattach a dollar figure to the losses. Most don't deem hacks to be amaterial event, which would require disclosure to shareholders,says Stewart Baker, a partner at Steptoe & Johnson LLP andformer assistant secretary for policy at the Department of HomelandSecurity.

“All of the ambiguities stack the deck against disclosure,” hesays.

Despite the estimated $60 billion invested by corporations andgovernments in network security systems, hackers continue tocircumvent them.

Chilling Account

The Coca-Cola report provides a rare and chilling account of theintricate and determined ways that hackers raided its files — frompilfering internal e-mails to gaining the ability to access almostany Microsoft Windows server, work station or laptop on the networkwith full remote control.

Computer hackers made daily incursions through Coca-Colanetworks over a period of at least one month, often using systemsthat were first compromised by infected e-mails sent to companyexecutives. The messages were disguised to look authentic butactually contained malicious software, or malware, that gaveintruders a pipeline into the company's networks, according to thereport.

Once inside, the hackers struck quickly. In the first two days,they uploaded a dozen tools allowing them to steal e-mails anddocuments, installed a keystroke logger on the machine of a topexecutive in Hong Kong, and stole computer account passwords forother Coca-Cola employees, including those with administrativepowers, to help them move freely across the company's network,according to the report.

It is unclear whether the attack played a role in the demise ofthe Huiyuan acquisition.

Coca-Cola spokesman Kent Landers said the company wouldn'tdiscuss “security matters,” but in a statement said it “managessecurity risks in conjunction with the appropriate security and lawenforcement organizations around the world.”

“We make disclosures in our public filings when we believe theyare appropriate and in accordance with the requirements of thefederal securities laws,” he added.

Jenny Shearer, a spokeswoman for the Federal Bureau ofInvestigation in Washington, declined to comment.

Like many other corporate cyberattacks, it appears that hackersin China were behind the Coca-Cola breach.

While the internal Coke report says the intruders werestate-sponsored, its details, including the types of malware andtechniques used, suggest they are part of Comment group, one of themost prolific hacking groups based in China, according toAlienVault, a San Mateo, California-based security firm.

China Hackers

“It's very clear that Comment is behind it,” says Jaime Blasco,head of AlienVault's security lab.

Comment has extensive reach, Bloomberg News reported in July,having penetrated computer networks from the European Union Councilto powerful Washington law firms to workers at a U.S. nuclear powerplant.

Companies doing business in China or competing against Chineserivals should expect hackers will go after their most confidentialfiles, says James Lewis, a senior fellow who studies cybersecurityat the Center for Strategic and International Studies inWashington.

“This has been a part of their plan to catch up to the West,”Lewis says. “You steal their technology, you steal their businesssecrets.”

The theft of deal-related information has become widespread evenas it remains mostly secret, so much so that U.K. Foreign SecretaryWilliam Hague said in a speech in October that it has the potentialto affect the trajectory of the global economy.

“If these attacks are left unchecked, they could have adevastating impact on the future earning potential of many majorcompanies and the economic well-being of countries,” Haguesaid.

The Chinese Foreign Ministry said accusations that China engagedin broad hacking efforts are unfair “without concrete evidence andinvestigation.”

“China is also a major victim of cyberattacks,” ministryspokesman Hong Lei said at a press briefing last week. “We hope toengage in active and practical international cooperation so as tojointly ensure Internet security.”

China's Ministry of Commerce didn't respond to a request forcomment.

Many companies tightly restrict knowledge of computer breachesto a select handful of staffers and swear consultants toconfidentiality, requiring them to destroy documents and erase harddrives upon finishing their work, according to the more than dozeninformation-security managers.

Massive Breach

Take, for instance, an intrusion last year at BG Group that hasnever been disclosed to shareholders. The company, which posted $21billion in revenue in 2011, discovered a breach in its computernetworks described as massive by four people knowledgeable aboutit, with vast quantities of data taken.

The hack targeted information such as geological maps anddrilling records, as well as far-flung data from the company'sworldwide network going back at least a year, that could impactsensitive deals, according to one of the people who worked oncleaning up the intrusion.

Despite the scope of the breach, it was kept under wraps insidethe company, according to three of the people. Most of thecompany's information-technology staff weren't told about theintrusion, according to one of the people, who described howcolleagues at adjacent desks had no clue anything was wrong.

Since the end of 2010, Reading, U.K.-based BG Group has includedfor investors a one-sentence risk factor in its regulatory filings:“Information security breaches may also result in the loss of BGGroup's commercially sensitive data.”

BG Group spokesman Mark Todd said he wouldn't respond to “rumorand speculation, or upon media stories based on anonymoussources.”

The company “has robust security measures across its business toprotect its information technology,” he said in an e-mailedstatement. “BG Group fully complies with all relevant marketdisclosure guidelines and regulatory requirements. When we havesomething material to announce, we do so via the establisheddisclosure channels.”

Companies listed on the London Stock Exchange are under rules,similar to those in the U.S., to disclose to investors anythingthat will have a material impact on the company's financialsituation, says Chris Hamilton, a spokesman for the FinancialServices Authority, the U.K. financial watchdog.

800 Million Pounds

In one case, officials estimated the cost of lost data from aBritish company while concealing the firm's identity from thepublic. Jonathan Evans, head of Britain's MI5 domestic securityservice, said in a speech in June that digital intruders targetinga “major London listed company” had caused a loss of 800 millionpounds ($1.3 billion), in part because of the resultingdisadvantage in “contractual negotiations.”

Investor advocates are trying to prod companies into publiclydisclosing the breaches, even if they can't estimate their cost. Ifinformation worth a few million dollars is compromised, the samesecurity weaknesses could be exploited to steal data worth hundredsof millions of dollars, says Michael Connor, executive director ofOpen MIC, a New York-based non- profit that focuses on mediapolicies and supports shareholder activists.

“The extreme reaction of not talking about it at all seems to menot very productive, particularly if you have whole industries thatare being attacked,” says Connor.

To gain access to confidential deal information, hackers oftentarget links in a chain of outside organizations that handle suchinformation on the company's behalf, such as banks and law firms.China-based cyberthieves, for instance, hacked into the computernetworks of seven law firms in 2010 to get more information aboutBHP Billiton Ltd.'s ultimately unsuccessful $40 billion bid toacquire Canadian company Potash Corp. of Saskatchewan, Inc.,Bloomberg reported in January.

Intruders took a similar approach last year in a breach thatultimately targeted Chesapeake Energy, the second-largest U.S.natural gas producer, according to a person familiar with thesituation and computer logs viewed by Bloomberg News. The logsindicate that Comment group obtained information about Chesapeake'sefforts to sell natural-gas leases by hacking into an office ofJefferies Group Inc., which is advising on the sales.

At just after noon on Sept. 22, 2011, the logs show, hackersgained access to the computer system of Kyle Guidry, an investmentbanker in Houston who handles energy deals for New York-basedJefferies. The intruders rooted around in Guidry's system for aboutthree hours, departing at 3:17 p.m. local time. Among the filesthey took were those titled “CHK Mississippian,” “CHK Utica JVUtica,” “Sinopec CA – Executed.docx” and “General – ChinaSHGdealsSTA.”

Chesapeake Files

Chesapeake, whose ticker on the New York Stock Exchange is CHK,was in the midst of selling stakes in the Utica shale deposit inOhio at the time, and is still trying to find buyers for assets inthe Mississippi Lime in Kansas and Oklahoma.

Neither Chesapeake nor Jefferies disclosed the hack toshareholders.

Chinese energy companies have been on an energy buying spree inthe U.S. and Canada. Fu Chengyu, chairman of China Petroleum &Chemical Corp., or Sinopec, said in May the company has held talkswith Chesapeake and others about shale investments.

Lv Dapeng, a Sinopec spokesman, didn't respond to phone callsseeking comment.

A Chesapeake spokesman, Jim Gipson, didn't reply to requests forcomment. The company hasn't publicly disclosed any loss of dealinformation, nor does it list data breaches as a risk-factor in SECfilings.

“Information security is a high priority at Jefferies and wemake all appropriate effort to safeguard client information,” saysRichard Khaleel, a spokesman for Jefferies.

Kyle Guidry declined to comment.

In its most recent annual report, Jefferies warned investors ofa hypothetical risk: “Our computer systems, software and networksmay be vulnerable to unauthorized access, computer viruses or othermalicious code,” which could jeopardize clients' confidentialinformation.

Records show that cyber intruders also have managed to penetratethe computers of top dealmakers.

In July 2011, Comment group rifled through the computer networksof ArcelorMittal, according to computer logs compiled byresearchers tracking the hackers.

Hacking ArcelorMittal

Among their targets: Sudhir Maheshwari, the executive in chargeof corporate finance, and mergers and acquisitions for the world'slargest steel maker.

The logs show Comment intruders broke into Maheshwari's computeron July 14, 2011, at 12:08 p.m. Eastern Standard Time. Once inside,they searched through a folder called “China.” After examining adraft version of a PowerPoint presentation Maheshwari gave at aJPMorgan Chase & Co. conference in Beijing the month before,the hackers zipped up, encrypted and downloaded all thePowerPoints, the logs show.

The intruders then bundled up his e-mail messages from June 22to July 14, 2011. A security researcher who analyzed the logs sayshe assumes that the e-mails were downloaded, though the log filesdon't confirm that. He requested anonymity because he wasdiscussing confidential material.

While confirming that a breach occurred last year onMaheshwari's laptop, Giles Read, an ArcelorMittal spokesman, saysan internal investigation found it was not a widespread compromiseof the computer networks and the company believes a firewallprevented documents from being removed. In addition, it conducted areview of the targeted e-mails and documents and determined thatnone of them contained highly sensitive information, Read says.

ArcelorMittal, which trades in Amsterdam, has never publiclydisclosed a serious breach of its computer networks. In February,the steelmaker began referencing the possibility of such a threatin its regulatory filings. The warning wasn't instigated by anyparticular breach, Read says.

“An increasing number of companies, including ArcelorMittal,have recently experienced intrusion attempts or even breaches oftheir information technology security,” says the annual report.Such an incident could allow hackers to “misappropriateconfidential information, cause interruptions in the company'soperations, damage its computers or otherwise damage itsreputation,” it says.

Hacker Prowess

Hackers showed similar prowess in penetrating the networks ofCoca-Cola.

In 2008, shareholders of Huiyuan, the biggest fruit andvegetable juice company in China, hired Goldman Sachs to find abuyer for the company. After months of due diligence, Atlanta-basedCoca-Cola made the highest offer at $2.4 billion. The deal waspublicly announced on Sept. 3, 2008, pending approval from China'sMinistry of Commerce.

Two weeks later, Paul Etchells, then the deputy president ofCoca-Cola's Pacific Group, met with U.S. officials from theAmerican Embassy in Beijing and expressed confidence that the dealwould clear China's internal antitrust review, according to a U.S.State Department cable published by Wikileaks.

Over the next six months, Coca-Cola supplied written informationto China's Ministry of Commerce on 12 occasions and interacted afurther 18 times with China's regulators, according to anotherState Department cable released by Wikileaks.

Amid this review, the company learned that its computer systemshad been breached and sensitive deal information taken from thecomputer account of Etchells on March 3, 2009, according to theinternal report on the attack.

The investigation traced the breach back to an e-mail thatappeared in Etchells's in-box on Feb. 16, 2009, according to thereport.

The message contained the subject line “Save power is savemoney! (from CEO)” and appeared to come from the work e-mailaccount of Bernhard Goepelt, at the time a legal executive in thecompany's Pacific Group and today, senior vice president andgeneral counsel.

Coca-Cola's brass had been striving to meet company-wide energyreduction targets. The body of the e-mail contained a link to afile that purported to contain a message from the chief executiveofficer.

When Etchells clicked on the link, malware was surreptitiouslyloaded onto his machine, giving hackers full access to Etchells'scomputer via the Internet, according to the internal report. Theyinstalled a keystroke logger, which captured everything theexecutive typed.

Adobe Vulnerability

Once in control of the computer, the hackers installed variousother programs, gaining access to the company's corporate networkand using Etchells's machine as a staging point to store anddownload data taken from other computers.

Etchells, who left Coca-Cola in 2010, didn't reply to requestsfor an interview.

Shortly after Etchells's computer was compromised, hackerstargeted other Coca-Cola executives in the region. On March 13,2009, a disguised malicious e-mail was sent to Brenda Lee, a publicaffairs executive in China. The message appeared to be a mediaadvisory from the Beijing office of the World Bank. When Lee openedthe attached PDF file, however, malware exploited a vulnerabilityin Adobe Reader software and gave hackers access to her machine,according to the report.

Hackers installed a keystroke logger and sought out e-mailsrelated to the Huiyuan deal, forwarding them to a Gmail accountwhose owner couldn't be identified, the report said.

Lee, who left Coca-Cola in 2011, declined to comment.

On March 18, 2009, just five days after the malicious e-maillanded in Brenda Lee's inbox and one month after Etchells's machinewas compromised, the Chinese Ministry of Commerce rejectedCoca-Cola's acquisition citing antitrust grounds.

Coca-Cola issued a statement that day saying it respected theMinistry's decision and wouldn't appeal. Huiyuan remains anindependent company and Coca-Cola hasn't inked a major acquisitionin China.

Coca-Cola has never publicly disclosed the loss of informationrelated to the Huiyuan transaction, according to a review of itsregulatory filings. Its 2011 annual report warns investors that thecompany “may suffer financial and reputational damage because oflost or misappropriated confidential information.”

“Like most major corporations, the company's information systemsare a target of attacks,” the report states.

Simply telling investors that there may be a cyberattack isn'tenough, risk-management experts say. If Coca-Cola knew thatsensitive information pertaining to the Huiyuan deal had beentaken, investors should know it wasn't secure, even if it isn'tclear how that information was ultimately used, says Olcott, ofGood Harbor Consulting.

“Investors have an expectation that companies are disclosingeverything they should,” says Olcott. “The reality is thiswidespread trade-secret theft matters to investors. It has animpact on a company's future competitiveness, which affects thebottom line.”

Bloomberg News

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.