In the annals of what-was-I-thinking moments in computer security, this has to be one of the most gobsmacking.
According to a Bloomberg News investigation of a series of undisclosed corporate data breaches, Coca-Cola was deeply penetrated by hackers in 2009 in what started with an e-mail with this subject line:
“Save power is save money! (from CEO)”
The message landed in executive Paul Etchells’s inbox on Feb. 16, 2009, according to a document obtained by Bloomberg.
The e-mail seems preposterous on its face, but the fact it appeared to come from a legal executive at the company — and at a time that Coca-Cola was pushing energy-saving measures — led Etchells to open it and click on a link that purported to lead to a message from the chief executive officer, according to the report. That kicked off a chain reaction that allowed the hackers to burrow into Coca-Cola’s network, seeking specific information about a major upcoming acquisition of a Chinese firm, a deal that later fell apart.
The example was one of several involving serious corporate intrusions where the hackers sought information on upcoming business deals. Companies rarely disclose how their systems are breached, so details about the e-mail that fooled Etchells offer a rare look at how even sophisticated attackers — which these clearly were — sometimes resort to highly unsophisticated techniques and are still successful.
Many advanced threats begin the way Coca-Cola’s did, illustrating a growing danger that companies face in protecting their networks. I’m reminded of the details that RSA, one of the world’s top computer-security firms, offered about an attack on its network that the company revealed in 2011.
That attack began innocuosly, as well, with a malicious e-mail that was sent to multiple low-level employees and carried the subject line: “2011 Recruitment Plan.” The e-mail landed in one employee’s junk folder, where he or she retrieved it and opened an attachment. It led to a breach that potentially jeopardized national security secrets, as RSA’s technology is used to secure the networks of government agencies and their contractors. RSA later confirmed that the information taken was used in an attempted attack on Lockheed Martin.
The incidents show how high the stakes are, and how big attacks often begin very small — with one person who opens a bad e-mail.