SAN FRANCISCO – Hackers have hit thousands of U.S. corporations in the past few years, but few companies ever publicly admit it. Most treat cyberattacks as a dirty secret best kept from customers, shareholders and competitors for fear that disclosure will sink their stock price and tarnish them as hapless.
Only on rare occasions have companies broken that silence, usually when the attack is reported by someone else. But in the past few weeks more companies have stepped forward. Twitter, Facebook and Apple have all announced they were attacked by sophisticated cybercriminals. The New York Times revealed its experience with hackers in an article last month.
The admissions reflect the new way some companies are calculating the risks and benefits of going public. While companies once feared shareholder lawsuits and the ire of the Chinese government, some cannot help but notice that those that make the disclosures are lauded, as Google was, for their bravery. Some fear the embarrassment of being unable to fend off hackers who are still in high school.
But as hacking revelations become more common, the threat of looking foolish fades and more companies are seizing the opportunity to take the leap in a crowd.
“There is a ‘hide in the noise’ effect right now,” said Alan Paller, director of research at the SANS Institute, a nonprofit cyber research and education organization. “This is a particularly good time to get out the fact that you got hacked, because if you are one of many, it discounts the starkness of the announcement.”
Computer security experts estimate that more than 1,000 companies have been attacked recently. In 2011, security researchers at McAfee unearthed a large cyberespionage campaign, called Operation Shady Rat, that found that more than 70 organizations had been hit with cyberattacks over a five-year period, many in the United States.
“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly) with the great majority of the victims rarely discovering the intrusion or its impact,” Dmitri Alperovitch, then McAfee’s vice president for threat research, wrote in his findings.
“In fact,” said Alperovitch, now chief technology officer at Crowdstrike, a security start-up, “I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”