In case there was any doubt, it’s now official: WikiLeaks has planted itself firmly in the corporate zeitgeist, in the form of a prominent mention in the 10-K that Ebay (EBAY) filed late on Friday afternoon.
Technically, WikiLeaks has made an appearance in the Edgar database before — on Aug. 20, in a conference-call transcript attached to an 8-K from microcap cybersecurity and consulting firm Widepoint Corp (WYY). But that was a passing mention (as Chief Technology Officer Daniel Turissini mentioned how “our daily lives have been changed by the growth of the Internet, Wikileaks, and the growing threat to privacy in our nation’s infrastructure”).
Ebay goes considerably further, noting that it suffered denial of service attacks after it shut down a WikiLeaks account “due to a violation of unit PayPal’s Acceptable Use Policy.”
“We may need to expend significant resources to protect against security breaches or to address problems caused by breaches. These issues are likely to become more difficult as we expand the number of places where we operate. Security breaches .. could damage our reputation and expose us to a risk of loss or litigation and possible liability. Our insurance policies carry low coverage limits, which may not be adequate to reimburse us for losses caused by security breaches.”
Except for the specific mention of WikiLeaks, the disclosure is, almost word-for-word, identical to the company’s previous cybersecurity warning. (The other main differences: substituting references to “payment cards” for the earlier “credit cards” and removing a vague reference of an earlier attack on its StubHub unit). But it got us wondering about other companies that reportedly suffered cyberattacks in the wake of cutting off WikiLeaks and supporters for alleged terms-of-service violations.
As you may recall, UK authorities recently arrested three teenagers and two adults, and Dutch authorities arrested two people, for allegedly targeting Visa, Mastercard and PayPal for refusing to process donations to WikiLeaks, and Amazon for booting the organization from its leased servers. (Wired has a good summary here.)
We didn’t find much, though Amazon (AMZN) is the only other company that has filed a K or Q since the December WikiLeaks imbroglio. As for 8Ks and other filings, none of them mention WikiLeaks explicitly. The closest Visa (V) came to addressing the risk of denial-of-service attacks in its 10-K on November 19 was this generic warning about potential harm to its payment networks:
“Our visibility in the global payments industry may attract terrorists and hackers to conduct physical or computer-based attacks, leading to an interruption in service, increased costs or the compromise of data security.”
Amazon, meantime, has extensive tax warnings, but this is about it when it comes to security:
“We Could Be Liable for Breaches of Security
Although we have developed systems and processes that are designed to protect customer information and prevent fraudulent transactions, data loss and other security breaches, failure to prevent or mitigate such breaches may adversely affect our operating results.”
Of course, the December attacks didn’t exactly bring any of these companies to their knees, and (as Wired points out) Visa and Mastercard don’t really rely all that heavily on their public websites. Still, the disclosure leaves at least a little to be desired. As more 10-Qs and 10-Ks come out, stay tuned.