If you work for Monsanto, or your organisation is a customer of the agriculture and biotech giant, then there’s some bad news.
The controversial company has admitted that someone managed to breach its network security, and access servers that contained sensitive information – including customer names, addresses, tax ID numbers, and (in some cases) financial information.
In addition, Monsanto’s human resources department was also storing personal information on the compromised servers – including tax forms that contained employees’ names, addresses, and Social Security numbers and (“for a small number of employees”) driver’s license numbers.
1300 customers and employees are said to have been impacted by the hack, but in a letter to Maryland’s Attorney General from Monsanto’s Precision Planting division the company claims that it does not believe that the attackers were attempting to steal customer information.
“We believe this unauthorised access was not an attempt to steal customer information; however, it is possible that files containing personal information may have been accessed and therefore we are making this notification.”
Which is, in itself, interesting.
Monsanto, the world’s largest producer of genetically modified seeds, has stirred worldwide protests for its successful lobbying against the mandatory labelling of food containing genetically modified organisms (GMOs).
This is pure speculation, of course, but is it possible that whoever hacked Monsanto wasn’t interested in stealing customer information (which the company clearly believes), but instead targeted the controversial multinational because of its love for genetically engineered crops?
I’m sure the guys behind March Against Monsanto wouldn’t condone anyone breaking the law or being involved in a hack, but I wouldn’t be surprised to discover it was someone who had an (understandable) grudge against the company who was responsible for this attack.
Of course, another theory might be that this branch of Monsanto was hacked with the intention of breaching a different division or separate organisation entirely, using the company as an effective “stepping stone”, perhaps with the thought that Precision Planting would have “softer” security than the true intended victim.
I’ll be talking more about targeted attacks in the coming weeks at events hosted by FourSys in Scotland and Belfast. Feel free to check out the details of these exclusive security conferences.
If you have a theory, feel free to leave a comment below.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.