Monsanto hacked, client and staff records exposed - but by who, and why?

MonsantoIf you work for Monsanto, or your organisation is a customer of the agriculture and biotech giant, then there's some bad news.

The controversial company has admitted that someone managed to breach its network security, and access servers that contained sensitive information - including customer names, addresses, tax ID numbers, and (in some cases) financial information.

In addition, Monsanto's human resources department was also storing personal information on the compromised servers - including tax forms that contained
employees' names, addresses, and Social Security numbers and ("for a small number of employees") driver’s license numbers.

1300 customers and employees are said to have been impacted by the hack, but in a letter to Maryland's Attorney General from Monsanto's Precision Planting division the company claims that it does not believe that the attackers were attempting to steal customer information.

Disclosure letter from Monsanto

"We believe this unauthorised access was not an attempt to steal customer information; however, it is possible that files containing personal information may have been accessed and therefore we are making this notification."

Which is, in itself, interesting.

Monsanto protestMonsanto, the world's largest producer of genetically modified seeds, has stirred worldwide protests for its successful lobbying against the mandatory labelling of food containing genetically modified organisms (GMOs).

This is pure speculation, of course, but is it possible that whoever hacked Monsanto wasn't interested in stealing customer information (which the company clearly believes), but instead targeted the controversial multinational because of its love for genetically engineered crops?

I'm sure the guys behind March Against Monsanto wouldn't condone anyone breaking the law or being involved in a hack, but I wouldn't be surprised to discover it was someone who had an (understandable) grudge against the company who was responsible for this attack.

Of course, another theory might be that this branch of Monsanto was hacked with the intention of breaching a different division or separate organisation entirely, using the company as an effective "stepping stone", perhaps with the thought that Precision Planting would have "softer" security than the true intended victim.

I'll be talking more about targeted attacks in the coming weeks at events hosted by FourSys in Scotland and Belfast. Feel free to check out the details of these exclusive security conferences.

If you have a theory, feel free to leave a comment below.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

5 Responses

  1. Bill Kreps

    June 2, 2014 at 3:14 pm #

    Is it possible that this is another Chinese commercial espionage attack? Will they not now phish those employees in an effort to gain access to Monsanto trade secrets. It only takes a successful phish against one employee who is using the same password for personal accounts on a corporate account.

    • Graham Cluley in reply to Bill Kreps.

      June 2, 2014 at 3:50 pm #

      It's certainly plausible.

      In 2010, Chinese hackers tried to derail a $40 billion takeover of the world’s largest potash producer by Australian mining giant BHP.

      In that case, spoofed emails, carrying spyware, were sent to the company’s law firms. Over several months, the hackers broke into one secure computer network after another. Ultimately seven different law firms were hit, as well as Canada’s Finance Ministry and Treasury Board .

      The deal fell through anyway, but the stolen data could have been worth tens of millions and give the party who possessed it an unfair business advantage.

  2. Tom Smith

    June 2, 2014 at 3:59 pm #

    Graham,

    Better to stick to what you know — computer security — and leave your personal politcal biases at home:

    " I wouldn’t be surprised to discover it was someone who had an (understandable) grudge against the company"

    "understandable" is just so not needed here. Besides, it tends to suggest sympathy for the hack which of course just fosters hacks.

    • Graham Cluley in reply to Tom Smith.

      June 2, 2014 at 4:05 pm #

      Like it says at the top of every page: "computer security news, advice and opinion". That's what makes this (hopefully) a more interesting place to visit than a bland security blog maintained by a vendor.

      Monsanto appears to have trampled on a lot of the little guys over the years, and as a parent I don't appreciate them lobbying against food being accurately labelled. I can understand why some folks might have a grudge against them – which is why I used the word.

      But hey, this is what the comments area is for on a blog. Opposing views are welcomed.

      And if I left any shadow of doubt – let me be clear. I do not believe the hack can be justified through that, or any other motivation. Hacking is illegal, and I have never been a supporter of it.

      Sorry you didn't like me expressing an opinion on this. I hope it doesn't ruin your enjoyment of the other commentary I provide.

  3. Val Giddings

    June 2, 2014 at 8:59 pm #

    It's fine to have opinions. Far better when they are supported by the underlying facts.

    In regards to Monsanto "lobbying against food being accurately labeled" you have it 180 degrees off. See http://www.geneticliteracyproject.org/2013/10/31/genetic-literacy-project-infographic-is-labeling-really-about-our-right-to-know/#.U4zWWfm-2m4 or even http://www2.itif.org/2014-testimony-opposition-vt-h112.pdf. As for Monsanto trampling on little guys – again, your view is contradicted by the data. See, for example, the Canadian Supreme Court's findings in favor of Monsanto with respect to the darling of biotech opponents, Percy Schmeisser, whom the court found to be a liar and a thief: http://scc-csc.lexum.com/scc-csc/scc-csc/en/item/2147/index.do Few companies have done more to uplift the little guys, specifically, the 17 million smallholders in the developing world whose lives have been improved by seeds improved through biotechnology http://isaaa.org/resources/publications/briefs/46/default.asp and also http://www.pgeconomics.co.uk/publications.php

    As for the hacking — there are a number of folks driven by malice toward Monsanto based on misunderstanding of the facts. Those of us who follow these matters would be quite surprised if the hacker were not associated with them, and allied with the marchers.

Leave a Reply