Original URL: https://www.theregister.com/2012/02/02/facebook_hacked_before/

Facebook warns investors of potential SPAM DELUGE

IPO filing: Spamvalanche could kill us

By Brid-Aine Parnell

Posted in Security, 2nd February 2012 11:44 GMT

Facebook has been the first internet company to baldly state the risks it faces from hacking and spam to the markets since the SEC issued guidance on the issue.

In October last year, the US Securities and Exchange Commission told publically listed companies that it was about time they talked about the cyber-attacks they had suffered, particularly because online mischief could financially damage their products.

One of the basic rules of listing on a stock market is that firms have to make their financial comings and goings public so that investors can make (relatively) informed decisions about whether or not to buy their shares. But up until last year, there was no push in the US for companies to 'fess up when they'd been hacked.

Now the SEC says:

Registrants should address cybersecurity risks and cyber incidents in their MD&A [management discussion and analysis] if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.

Facebook's widely anticipated IPO, for which the social network hopes to net a cool $5bn, is the first to actually use the words "hacking" and "spam" in their list of risk factors for investing in the firm.

"Computer malware, viruses, and computer hacking and phishing attacks have become more prevalent in our industry, have occurred on our systems in the past, and may occur on our systems in the future," the company's filing stated. "Because of our prominence, we believe that we are a particularly attractive target for such attacks."

Facebook naturally hedges its bets a bit by saying that it's not easy to say what damage an attack may do, but admits "any failure to maintain performance, reliability, security, and availability of our products and technical infrastructure to the satisfaction of our users may harm our reputation and our ability to retain existing users and attract new users".

Moving onto the pesky issue of spam, the social network said that spam could embarrass or annoy its users and make the site less user-friendly.

"We cannot be certain that the technologies and employees that we have to attempt to defeat spamming attacks will be able to eliminate all spam messages from being sent on our platform. As a result of spamming activities, our users may use Facebook less or stop using our products altogether," the filing added.

Although Facebook is the first of the big web boys to talk so openly about hacking in its initial filing, most internet firms to make some nod to the inherent dangers of doing business online.

All the way back in 2004, when Google was entering the stage, it listed "malicious third-party applications" among its risks for initial investors.

"Our business may be adversely affected by malicious applications that make changes to our users’ computers and interfere with the Google experience," the Chocolate Factory said.

"These applications have in the past attempted, and may in the future attempt, to change our users’ internet experience, including hijacking queries to Google.com, altering or replacing Google search results, or otherwise interfering with our ability to connect with our users."

And more recently, when LinkedIn filed to go public in January last year, it said: "If our security measures are compromised, or if our website is subject to attacks that degrade or deny the ability of members or customers to access our solutions, members and customers may curtail or stop use of our solutions."

But not all of the stock market entrants have been so forthcoming. Groupon, which had its delayed IPO in November, but filed with the SEC in June, listed almost every risk imaginable including their vulnerability to "earthquakes, other natural catastrophic events or terrorism", but made no mention of hacking.

The daily deals site did say it is dependent on good network infrastructure – where it mentions viruses and security – and good "internet infrastructure" – under which heading it mentions "viruses, worms, malware and similar programs [that] may harm the performance of the internet".

"The backbone computers of the internet have been the targets of such programs," the filing added, which rather made it seem like Groupon could only break if the whole internet was broken.

High-profile attacks on big firms and bodies like Sony, Citigroup and the US Air Force in the last few years brought hacking into the public consciousness and prompted a lot of governmental scrutiny.

The SEC issued its new guidance after US Senator Jay Rockefeller asked the commission to look into the issue.

"Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark," he said.

When the commission issued the guidance, it warned that companies had "increasing dependence on digital technologies to conduct their operations" so the risks associated with cybersecurity had also increased "resulting in more frequent and severe cyber incidents". ®