Another news of a hacking campaign initiated by organisations linked to the Chinese government.
In an indictment unveiled in December 2018, the US Justice Department filed charges against two Chinese hackers, who it said acted 'in association with' the Chinese Ministry of State Security (MSS).
The hackers named in the indictment presided over a state-backed campaign of cyber theft that targeted advanced technologies with commercial and military applications. They also hacked into companies called 'managed service providers', which act as gatekeepers to computer networks serving scores of corporate clients. The cyber attack campaign was carried out over the last 12-year cyberattacks that vacuumed up technology and trade secrets from corporate computers in 12 countries.
The indictment claimed that the Chinese targeted companies in the finance, telecommunications, consumer electronics and medical industries, along with U.S. government laboratories operated by the National Aeronautics and Space Administration and the military.
Thomson Reuters in a report on 26 June 2019 said the global hacking campaign, known as Cloud Hopper compromised Hewlett Packard Enterprise, IBM, Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation and DXC Technology, HPE’s spun-off services arm. Clients of the service providers that includes Swedish telecoms giant Ericsson, US Navy shipbuilder Huntington Ingalls Industries and travel reservation system Sabre were also breached.
HPE, DXC, IBM, Huntington, Sabre and Ericsson responded respectively to say it has no evidence sensitive corporate data was compromised by the attacks. The rest declined to comment in response to the Reuters report.
Most of these corporations named, are listed on the Stock Exchanges in the US. Under the US Securities and Exchange Commission (SEC) it states that publicly traded US companies must deliver “timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.” And this includes data breach.
Did any of those corporations that are publicly traded, disclosed the breach which spans over a period of 12 years? And if no, does the non disclosure constitute a breach of the securities law, if any? If these corporations are domiciled in any of the countries in the EU, they will be under the jurisdiction of the GDPR. The GDPR has stringent requirements insofar as when organisations who suffered a breach have to disclose it to the authorities.