SAN FRANCISCO — Hackers have hit thousands of American corporations in the last few years, but few companies ever publicly admit it. Most treat online attacks as a dirty secret best kept from customers, shareholders and competitors, lest the disclosure sink their stock price and tarnish them as hapless. Rarely have companies broken that silence, usually when the attack is reported by someone else. But in the last few weeks more companies have stepped forward. Twitter, Facebook and Apple have all announced that they were attacked by sophisticated cybercriminals. The New York Times revealed its experience with hackers in a front-page article last month.
The admissions reflect the new way some companies are calculating the risks and benefits of going public. While companies once feared shareholder lawsuits and the ire of the Chinese government, some can’t help noticing that those that make the disclosures are lauded, as Google was, for their bravery. Some fear the embarrassment of being unable to fend off hackers who may still be in high school. But as hacking revelations become more common, the threat of looking foolish fades and more companies are seizing the opportunity to take the leap in a crowd. “There is a ‘hide in the noise’ effect right now,” said Alan Paller, director of research at the SANS Institute, a nonprofit security research and education organization. “This is a particularly good time to get out the fact that you got hacked, because if you are one of many, it discounts the starkness of the announcement.”
In 2010, when Google alerted some users of Gmail — political activists, mostly — that it appeared Chinese hackers were trying to read their mail, such disclosures were a rarity. In its announcement, Google said that it was one of many — two dozen — companies that had been targeted by the same group. Google said it was making the announcement, in part, to encourage other companies to open up about the problem. But of that group, only Intel and Adobe Systems reluctantly stepped forward, and neither provided much detail.
Twitter admitted that it had been hacked this month. Facebook and Apple followed suit two weeks later. Within hours after The Times published its account, The Wall Street Journal chimed in with a report that it, too, had been attacked by what it believed to be Chinese hackers. The Washington Post followed. Not everyone took advantage of the cover. Bloomberg, for example, has repeatedly denied that its systems were also breached by Chinese hackers, despite several sources that confirmed that its computers were infected with malware.
Computer security experts estimate that more than a thousand companies have been attacked recently. In 2011, security researchers at McAfee unearthed a vast online espionage campaign, called Operation Shady Rat, that found more than 70 organizations had been hit over a five-year period, many in the United States. “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly) with the great majority of the victims rarely discovering the intrusion or its impact,” Dmitri Alperovitch, then McAfee’s vice president for threat research, wrote in his findings. “In fact,” said Mr. Alperovitch, now the chief technology officer at Crowdstrike, a security start-up, “I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”
Of that group, there are still few admissions. A majority of companies that have at one time or another been the subject of news reports of online attacks refuse to confirm them. The list includes the International Olympic Committee, Exxon Mobil, Baker Hughes, Royal Dutch Shell, BP, ConocoPhillips, Chesapeake Energy, the British energy giant BG Group, the steel maker ArcelorMittal and Coca-Cola.
Source: https://www.nytimes.com/2013/02/21/technology/hacking-victims-edge-into-light.html?hp&_r=0