Our Daily Breach: Season 2
Murdoc tries to revive this concept of Our Daily Breach with a breach he's covered before. We're not sure if he was trained to be this stupid or he just does these things of his own accord.
A year ago I had this naive idea that I could write about a new breach every day of the week. It was something we had to do in cybersecurity bootcamp and it stuck with me as a fun exercise to learn from the mistakes of others. It started with this breach of a beverage company (CCU).
Since then, Scotiabank predicted that this would have no substantial financial impact to the Chilean beverage supplier. I found this assessment weird because this breach was not reported as contained at the time of SEC filing. Nor was it specifically addressed as contained in the addendum filed after according to the company investors relations page. The last comment the company made about the incident was this memo to the Chilean Financial Market Commission on September 27, 2024:
In order to keep the market and the general public duly informed, Compañía Cervecerías Unidas S.A. (“CCU”) hereby supplements the communication made on September 26, 2024, as a Material Event, in the following terms:
• In relation to the containment, eradication and recovery stages regarding the
Cybersecurity Incident, CCU can confirm that there is not and has not been any
propagation of the threat to third parties, including its customers and suppliers.
• In relation to the information leakage, CCU can confirm that it has immutable backups of all its digital files.
With the advice of expert technicians, CCU continues to conduct digital forensic analysis work on the Cybersecurity Incident and, if applicable, will update the content of this communication.
As previously indicated, CCU has maintained its operational continuity at all times.
Sincerely,
Patricio Jottar Nasrallah
Chief Executive Officer
Compañía Cervecerías Unidas S.A.
Shortly after this letter was sent to investor CCU shares on the NYSE plummeted nearly 20%. While we can't establish cause, I'd wager that it had a lot more to do with Goldman Sachs to changing their evaluation of CCU from Neutral to Sell based on declining sales in the beer market. Pour one out for sobriety.
If we zoom out a full year and look at the total impact of this unresolved breach going by stock price publicly traded on the NYSE the financial damage is a whopping...
$0.60 per share increase!?

Well that's neat. CCU had a temporary dip but somehow beat inflation. Yes even in Chile, I checked. It is fair to point out that a ticker symbol price is one metric in the terms of overall financial health. If you go look at their quarterly financials for Q2 this year, it is no bueno.

I'm sure somehow, someway this beverage titan will manage to recover. It's like the CEO assured their shareholders with no evidence and no follow-up. Everything is fine. The threat did not propagate. There's nothing to see here. It's definitely not the same pattern happening in Japan's beverage supply chain.
As a certain Scar once said:
Organizations get popped, they recover, life goes on.
This particular organization managed to recover just fine and it makes one question the claims of reputational damage and reports that suggest that data breaches cost organizations an average of $4.4M USD (IBM 2025).