After Google hack, warnings pop up in SEC filings

Companies such as Intel and Symantec are adding advisories to their filings about the risks of computer attacks

Five months after Google was hit by hackers looking to steal its secrets, technology companies are increasingly warning their shareholders that they may be materially affected by hacking attempts designed to take valuable intellectual property.

In the past few months Google, Intel, Symantec and Northrop Grumman -- all companies thought to have been targets of a widespread spying operation -- have added new warnings to their U.S. Securities and Exchange Commission filings informing investors of the risks of computer attacks.

Google doesn't talk about the specific attack against its systems, but it now warns shareholders that this type of event is a material risk.

"[O]utside parties may attempt to fraudulently induce employees, users, or customers to disclose sensitive information in order to gain access to our data or our users' or customers' data," Google wrote in a section added to its annual financial report in February, a month after it disclosed the hacking incident.

Google warned that it could lose customers following a breach, as users question the effectiveness of its security. "Because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures," the company said in the filing.

Google's admission that it had been targeted put a public spotlight on a problem that had been growing for years: targeted attacks, known to security professionals as the advanced persistent threat (APT). These attacks are often successful because they are low-volume, fly under the radar of most security companies and are extremely targeted. In many APT attacks, the victim is sent an interesting-looking document or a link to a Web site that contains attack code. If the victim's software isn't up-to-date (Google is thought to have been compromised via a bug in Internet Explorer 6), the criminals break into the computer, gaining a foothold in the company.

In February, Intel disclosed in an SEC filing that it had been targeted by a similar attack in January, and warned investors that the theft of its trade secrets could hurt its bottom line.

Last year, Heartland Payment Systems was sued by shareholders for failing to disclose that the company had been hit by a December 2007 SQL injection attack. Plaintiffs argued that the company should have disclosed the incident in SEC filings and in calls with financial analysts. The December incident was eventually linked to the largest data breach in U.S. history, and Heartland's stock dropped nearly 80 percent when the company finally disclosed the full extent of the attack in January 2009. Heartland shareholders ultimately lost this lawsuit, however.

Nevertheless, companies are still working out how -- and even if -- they must disclose hacking incidents in their financial filings, said Rob Lee, a director with Mandiant, a cyberforensics company often called in to investigate breaches. "They've never encountered this before, so there are no strict rules for how IP theft or data breach events are supposed to be accounted for," he said. "It may change, but there's no strict rule."

In a May 24 SEC filing, Symantec added extra warnings to the section of its annual report talking about the disruptions that hacking could cause, saying, "the theft and/or unauthorized use or publication of our trade secrets and other confidential business information as a result of such an event could adversely affect our competitive position, reputation, brand and future sales of our products."

A company spokesman said that Symantec reviews its risk factors on a regular basis.

Other technology companies -- IBM, Hewlett-Packard and Juniper Networks, for example -- included this type of warning even before Google went public with news of its attack.

It seems that more companies are now adding these risk disclosures about hacking, in part as insurance against possible lawsuits, said Sam Dibble, a partner in the business transactions group at Farella Braun & Martel, a San Francisco law firm.

No company wants to be the one that neglects to warn of a risk that everyone else can see, he said. "There's a follow-the-leader element to it," he said. "Once it starts popping up in your competitors' filings, people start saying, 'Why aren't we doing this?'"

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Googleintelsymantec

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Brand Post

Bitdefender 2019

Taking cybersecurity to the highest level and order now for a special discount on the world’s most awarded and trusted cybersecurity. Be aware without a care!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?