Monsanto hacked, client and staff records exposed – but by who, and why?

Graham Cluley

MonsantoIf you work for Monsanto, or your organisation is a customer of the agriculture and biotech giant, then there’s some bad news.

The controversial company has admitted that someone managed to breach its network security, and access servers that contained sensitive information – including customer names, addresses, tax ID numbers, and (in some cases) financial information.

In addition, Monsanto’s human resources department was also storing personal information on the compromised servers – including tax forms that contained
employees’ names, addresses, and Social Security numbers and (“for a small number of employees”) driver’s license numbers.

1300 customers and employees are said to have been impacted by the hack, but in a letter to Maryland’s Attorney General from Monsanto’s Precision Planting division the company claims that it does not believe that the attackers were attempting to steal customer information.

Disclosure letter from Monsanto

“We believe this unauthorised access was not an attempt to steal customer information; however, it is possible that files containing personal information may have been accessed and therefore we are making this notification.”

Which is, in itself, interesting.

Monsanto protestMonsanto, the world’s largest producer of genetically modified seeds, has stirred worldwide protests for its successful lobbying against the mandatory labelling of food containing genetically modified organisms (GMOs).

This is pure speculation, of course, but is it possible that whoever hacked Monsanto wasn’t interested in stealing customer information (which the company clearly believes), but instead targeted the controversial multinational because of its love for genetically engineered crops?

I’m sure the guys behind March Against Monsanto wouldn’t condone anyone breaking the law or being involved in a hack, but I wouldn’t be surprised to discover it was someone who had an (understandable) grudge against the company who was responsible for this attack.

Of course, another theory might be that this branch of Monsanto was hacked with the intention of breaching a different division or separate organisation entirely, using the company as an effective “stepping stone”, perhaps with the thought that Precision Planting would have “softer” security than the true intended victim.

I’ll be talking more about targeted attacks in the coming weeks at events hosted by FourSys in Scotland and Belfast. Feel free to check out the details of these exclusive security conferences.

If you have a theory, feel free to leave a comment below.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

5 Replies to “Monsanto hacked, client and staff records exposed – but by who, and why?”

  1. Is it possible that this is another Chinese commercial espionage attack? Will they not now phish those employees in an effort to gain access to Monsanto trade secrets. It only takes a successful phish against one employee who is using the same password for personal accounts on a corporate account.

    1. It's certainly plausible.

      In 2010, Chinese hackers tried to derail a $40 billion takeover of the world’s largest potash producer by Australian mining giant BHP.

      In that case, spoofed emails, carrying spyware, were sent to the company’s law firms. Over several months, the hackers broke into one secure computer network after another. Ultimately seven different law firms were hit, as well as Canada’s Finance Ministry and Treasury Board .

      The deal fell through anyway, but the stolen data could have been worth tens of millions and give the party who possessed it an unfair business advantage.

  2. Graham,

    Better to stick to what you know — computer security — and leave your personal politcal biases at home:

    " I wouldn’t be surprised to discover it was someone who had an (understandable) grudge against the company"

    "understandable" is just so not needed here. Besides, it tends to suggest sympathy for the hack which of course just fosters hacks.

    1. Like it says at the top of every page: "computer security news, advice and opinion". That's what makes this (hopefully) a more interesting place to visit than a bland security blog maintained by a vendor.

      Monsanto appears to have trampled on a lot of the little guys over the years, and as a parent I don't appreciate them lobbying against food being accurately labelled. I can understand why some folks might have a grudge against them – which is why I used the word.

      But hey, this is what the comments area is for on a blog. Opposing views are welcomed.

      And if I left any shadow of doubt – let me be clear. I do not believe the hack can be justified through that, or any other motivation. Hacking is illegal, and I have never been a supporter of it.

      Sorry you didn't like me expressing an opinion on this. I hope it doesn't ruin your enjoyment of the other commentary I provide.

  3. It's fine to have opinions. Far better when they are supported by the underlying facts.

    In regards to Monsanto "lobbying against food being accurately labeled" you have it 180 degrees off. See http://www.geneticliteracyproject.org/2013/10/31/genetic-literacy-project-infographic-is-labeling-really-about-our-right-to-know/#.U4zWWfm-2m4 or even http://www2.itif.org/2014-testimony-opposition-vt-h112.pdf. As for Monsanto trampling on little guys – again, your view is contradicted by the data. See, for example, the Canadian Supreme Court's findings in favor of Monsanto with respect to the darling of biotech opponents, Percy Schmeisser, whom the court found to be a liar and a thief: http://scc-csc.lexum.com/scc-csc/scc-csc/en/item/2147/index.do Few companies have done more to uplift the little guys, specifically, the 17 million smallholders in the developing world whose lives have been improved by seeds improved through biotechnology http://isaaa.org/resources/publications/briefs/46/default.asp and also http://www.pgeconomics.co.uk/publications.php

    As for the hacking — there are a number of folks driven by malice toward Monsanto based on misunderstanding of the facts. Those of us who follow these matters would be quite surprised if the hacker were not associated with them, and allied with the marchers.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES