A report by The Wall Street Journal today highlights the lack of attention corporate executives at the telecom device-maker, Nortel Networks, paid towards internal controls after it was discovered that, for over a decade, their corporate infrastructure had been illegally infiltrated by foreign agents. As early as 2000, hackers apparently obtained the passwords of seven top officials from China-based Internet addresses. The hackers had almost carte blanche access to the company’s entire internal network, and had created a reliable “back door” which allowed them to come and go as they pleased.
Our own internal process choked us all the time[.]” – Mr. Brian Shields, Internal Investigator, Nortel Networks.
The hacking was discovered in 2004, and exposed proprietary data such as client lists, acquisition plans, and monitoring of employee emails. Nortel Networks is now bankrupt, but in an internal investigation, it was determined that Nortel made no effort to determine if its products were compromised by the hacking incidents, and that it did not fix the problem, or disclose the hack, before it started to sell its assets to prospective buyers. According to The Wall Street Journal, it is possible that may of the companies who purchased Nortel assets inherited spyware or hacker infiltrations via the acquisitions.
People who looked at [the hacking] did not believe it was a real issue. This never came up like, ‘We have a real issue and we need to disclose to potential buyers of businesses.'” – Mr. Mike Zafirovski, former CEO, Nortel Networks.
As a publicly traded company, Nortel Networks is required by the Securities and Exchange Commission (SEC) to disclose “material” risks and events to investors. In a blog post last year, I commented on the guidance memo by the SEC which detailed the fact that cyber-attacks are not considered to be “material” under the applicable law. Such nondisclosure by a publicly traded company highlights the uncertainty in reporting requirements for corporate executives who discover that they have been infiltrated via a cyber-attack. However, it is up to the acquiring company to ask if the selling company has ever been hacked. If such is the case, and spyware has been loaded onto assets that were sold off as a result of Nortel’s bankruptcy plans, the acquiring company could be sued by its shareholders for lack of due diligence.
As is the case with most businesses, Nortel’s focus was on selling off assets in bankruptcy, and not to assess possible hacker damage as a result of the breach.