Monsanto on Anonymous hacker attack: 'We remain vigilant'

7-Jul-11
Published in: St. Louis Business Journal
Author: Kelsey Volkmann
Description: Reporters come to Walker School of Business for answers after the activist hacker group Anonymous attacks the mail servers of Monsanto.

Monsanto is the latest target of the activist hackers group Anonymous, which said it attacked the Creve Coeur-based seed maker's mail servers, took out the company's website and released information on hundreds of employees. In a statement posted on the Pastebin site, Anonymous took credit for the attack on Monsanto, saying, "We blasted their web infrastructure to s*** for 2 days straight, crippling all 3 of their mail servers as well as taking down their main websites worldwide." Monsanto, which is led by Chairman, President and CEO Hugh Grant and reported $10.5 billion in 2010 revenue, confirmed the attack Wednesday. "Last month, Monsanto experienced a disruption to our websites which appeared to be organized by a cyber-group," the company said in a statement. "In addition, this group also recently published publicly available information on approximately 2,500 individuals involved in the broader global agriculture industry. Contrary to initial media reports, only 10 percent of this publicly available information related to Monsanto's current and former employees. The list also included contact details for media outlets as well as other agricultural companies. Information on these attacks has been turned over to the appropriate authorities. We remain vigilant in protecting our information systems." Wall Street didn't seem to mind the breach: Monsanto shares were trading up 0.68 percent at $74.64 a share Wednesday afternoon. It's safe to bet that Monsanto executives have been busy meeting with their in-house and external lawyers, IT professionals, crisis management team and public relations specialists to assess the legal and financial risks, as well as the potential loss in customer confidence, said Al Marcella, an IT security expert and professor in the management department of the George Herbert Walker School of Business & Technology at Webster University in Webster Groves.

"If you are breached, in my view, the incident can quickly escalate into a public relations and financial disaster," he said. Since Monsanto does business worldwide, the agriculture giant is likely looking at the different requirements for complying with various state breach laws for alerting those whose information is compromised, he said. In Missouri, for example, if the business must notify more than 1,000 affected residents about the breach, the company must also alert the Missouri attorney general or face $150,000 in penalties. Once a company is hacked, it can put the firm in a tough PR situation: Do you publicly comment on the situation and raise questions about your security and give the hackers more fodder to brag about? Or do you remain silent or play down the breach and risk more retribution from the hackers? Some other companies have also decided to go public about security breaches - even if they are embarrassing. Booz Allen Hamilton, a McLean, Va.-based IT consulting firm often contracted by the U.S. government, issued a statement Tuesday confirming reports that it had been attacked by Anonymous. "We are conducting a full review of the nature and extent of the attack," said the firm, which has an office in O'Fallon, Ill. "At this time, we do not believe that the attack extended beyond data pertaining to a learning management system for a government agency. Our policy and security practice is generally not to comment on such matters; however, given the publicity about this event, we believe it is important to set out our preliminary understanding of the facts. We are communicating with our clients and analyzing the nature of this attack and the data files affected. We maintain our commitment to protect our clients and our firm from illegal thefts of information."

Last winter, Anonymous also took credit for taking down MasterCard's website for several hours in response to the credit card giant's blocking of donations to WikiLeaks. Purchase, N.Y.-based MasterCard, which has its Global Technology and Operations headquartered in O'Fallon, Mo., issued a statement at the time that acknowledged the attack but also aimed to quell customers' fears. The credit card company said it had "made significant progress in restoring full-service to its corporate website. Our core processing capabilities have not been compromised and cardholder account data has not been placed at risk. While we have seen limited interruption in some web-based services, cardholders can continue to use their cards for secure transactions globally." The best way to deal with compromised security is to be proactive in the first place by completing continual security assessments of vulnerabilities and exposures, Marcella said. Monsanto said it is constantly on the lookout for such trouble. "Today, a number of public and private institutions are facing cyber threats and actions around the world," the company said. "Such threats are not new and something that Monsanto is constantly working to protect against." While there's no 100 percent safe computer system, Marcella said, the goal is to make the network so hard to compromise that the hackers move on to other targets. "The cost of crisis management," he said, "may far exceed the cost of better security."