After Google hack, warnings pop up in SEC filings

Companies such as Intel and Symantec are adding advisories to their filings about the risks of computer attacks

Five months after Google was hit by hackers looking to steal its secrets, technology companies are increasingly warning their shareholders that they may be materially affected by hacking attempts designed to take valuable intellectual property.

In the past few months Google, Intel, Symantec and Northrop Grumman -- all companies thought to have been targets of a widespread spying operation -- have added new warnings to their U.S. Securities and Exchange Commission filings informing investors of the risks of computer attacks.

Google doesn't talk about the specific attack against its systems, but it now warns shareholders that this type of event is a material risk.

"[O]utside parties may attempt to fraudulently induce employees, users, or customers to disclose sensitive information in order to gain access to our data or our users' or customers' data," Google wrote in a section added to its annual financial report in February, a month after it disclosed the hacking incident.

Google warned that it could lose customers following a breach, as users question the effectiveness of its security. "Because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures," the company said in the filing.

Google's admission that it had been targeted put a public spotlight on a problem that had been growing for years: targeted attacks, known to security professionals as the advanced persistent threat (APT). These attacks are often successful because they are low-volume, fly under the radar of most security companies and are extremely targeted. In many APT attacks, the victim is sent an interesting-looking document or a link to a Web site that contains attack code. If the victim's software isn't up-to-date (Google is thought to have been compromised via a bug in Internet Explorer 6), the criminals break into the computer, gaining a foothold in the company.

In February, Intel disclosed in an SEC filing that it had been targeted by a similar attack in January, and warned investors that the theft of its trade secrets could hurt its bottom line.

Last year, Heartland Payment Systems was sued by shareholders for failing to disclose that the company had been hit by a December 2007 SQL injection attack. Plaintiffs argued that the company should have disclosed the incident in SEC filings and in calls with financial analysts. The December incident was eventually linked to the largest data breach in U.S. history, and Heartland's stock dropped nearly 80 percent when the company finally disclosed the full extent of the attack in January 2009. Heartland shareholders ultimately lost this lawsuit, however.

Nevertheless, companies are still working out how -- and even if -- they must disclose hacking incidents in their financial filings, said Rob Lee, a director with Mandiant, a cyberforensics company often called in to investigate breaches. "They've never encountered this before, so there are no strict rules for how IP theft or data breach events are supposed to be accounted for," he said. "It may change, but there's no strict rule."

In a May 24 SEC filing, Symantec added extra warnings to the section of its annual report talking about the disruptions that hacking could cause, saying, "the theft and/or unauthorized use or publication of our trade secrets and other confidential business information as a result of such an event could adversely affect our competitive position, reputation, brand and future sales of our products."

A company spokesman said that Symantec reviews its risk factors on a regular basis.

Other technology companies -- IBM, Hewlett-Packard and Juniper Networks, for example -- included this type of warning even before Google went public with news of its attack.

It seems that more companies are now adding these risk disclosures about hacking, in part as insurance against possible lawsuits, said Sam Dibble, a partner in the business transactions group at Farella Braun & Martel, a San Francisco law firm.

No company wants to be the one that neglects to warn of a risk that everyone else can see, he said. "There's a follow-the-leader element to it," he said. "Once it starts popping up in your competitors' filings, people start saying, 'Why aren't we doing this?'"

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Googlesymantecsecurityintel

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?