Monsanto hacked, client and staff records exposed – but by who, and why?

MonsantoIf you work for Monsanto, or your organisation is a customer of the agriculture and biotech giant, then there’s some bad news.

The controversial company has admitted that someone managed to breach its network security, and access servers that contained sensitive information – including customer names, addresses, tax ID numbers, and (in some cases) financial information.

In addition, Monsanto’s human resources department was also storing personal information on the compromised servers – including tax forms that contained employees’ names, addresses, and Social Security numbers and (“for a small number of employees”) driver’s license numbers.

1300 customers and employees are said to have been impacted by the hack, but in a letter to Maryland’s Attorney General from Monsanto’s Precision Planting division the company claims that it does not believe that the attackers were attempting to steal customer information.

Disclosure letter from Monsanto

“We believe this unauthorised access was not an attempt to steal customer information; however, it is possible that files containing personal information may have been accessed and therefore we are making this notification.”

Which is, in itself, interesting.

Monsanto protestMonsanto, the world’s largest producer of genetically modified seeds, has stirred worldwide protests for its successful lobbying against the mandatory labelling of food containing genetically modified organisms (GMOs).

This is pure speculation, of course, but is it possible that whoever hacked Monsanto wasn’t interested in stealing customer information (which the company clearly believes), but instead targeted the controversial multinational because of its love for genetically engineered crops?

I’m sure the guys behind March Against Monsanto wouldn’t condone anyone breaking the law or being involved in a hack, but I wouldn’t be surprised to discover it was someone who had an (understandable) grudge against the company who was responsible for this attack.

Sign up to our free newsletter.
Security news, advice, and tips.

Of course, another theory might be that this branch of Monsanto was hacked with the intention of breaching a different division or separate organisation entirely, using the company as an effective “stepping stone”, perhaps with the thought that Precision Planting would have “softer” security than the true intended victim.

I’ll be talking more about targeted attacks in the coming weeks at events hosted by FourSys in Scotland and Belfast. Feel free to check out the details of these exclusive security conferences.

If you have a theory, feel free to leave a comment below.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

5 comments on “Monsanto hacked, client and staff records exposed – but by who, and why?”

  1. Bill Kreps

    Is it possible that this is another Chinese commercial espionage attack? Will they not now phish those employees in an effort to gain access to Monsanto trade secrets. It only takes a successful phish against one employee who is using the same password for personal accounts on a corporate account.

    1. Graham CluleyGraham Cluley · in reply to Bill Kreps

      It's certainly plausible.

      In 2010, Chinese hackers tried to derail a $40 billion takeover of the world’s largest potash producer by Australian mining giant BHP.

      In that case, spoofed emails, carrying spyware, were sent to the company’s law firms. Over several months, the hackers broke into one secure computer network after another. Ultimately seven different law firms were hit, as well as Canada’s Finance Ministry and Treasury Board .

      The deal fell through anyway, but the stolen data could have been worth tens of millions and give the party who possessed it an unfair business advantage.

  2. Tom Smith

    Graham,

    Better to stick to what you know — computer security — and leave your personal politcal biases at home:

    " I wouldn’t be surprised to discover it was someone who had an (understandable) grudge against the company"

    "understandable" is just so not needed here. Besides, it tends to suggest sympathy for the hack which of course just fosters hacks.

    1. Graham CluleyGraham Cluley · in reply to Tom Smith

      Like it says at the top of every page: "computer security news, advice and opinion". That's what makes this (hopefully) a more interesting place to visit than a bland security blog maintained by a vendor.

      Monsanto appears to have trampled on a lot of the little guys over the years, and as a parent I don't appreciate them lobbying against food being accurately labelled. I can understand why some folks might have a grudge against them – which is why I used the word.

      But hey, this is what the comments area is for on a blog. Opposing views are welcomed.

      And if I left any shadow of doubt – let me be clear. I do not believe the hack can be justified through that, or any other motivation. Hacking is illegal, and I have never been a supporter of it.

      Sorry you didn't like me expressing an opinion on this. I hope it doesn't ruin your enjoyment of the other commentary I provide.

  3. Val Giddings

    It's fine to have opinions. Far better when they are supported by the underlying facts.

    In regards to Monsanto "lobbying against food being accurately labeled" you have it 180 degrees off. See http://www.geneticliteracyproject.org/2013/10/31/genetic-literacy-project-infographic-is-labeling-really-about-our-right-to-know/#.U4zWWfm-2m4 or even http://www2.itif.org/2014-testimony-opposition-vt-h112.pdf. As for Monsanto trampling on little guys – again, your view is contradicted by the data. See, for example, the Canadian Supreme Court's findings in favor of Monsanto with respect to the darling of biotech opponents, Percy Schmeisser, whom the court found to be a liar and a thief: http://scc-csc.lexum.com/scc-csc/scc-csc/en/item/2147/index.do Few companies have done more to uplift the little guys, specifically, the 17 million smallholders in the developing world whose lives have been improved by seeds improved through biotechnology http://isaaa.org/resources/publications/briefs/46/default.asp and also http://www.pgeconomics.co.uk/publications.php

    As for the hacking — there are a number of folks driven by malice toward Monsanto based on misunderstanding of the facts. Those of us who follow these matters would be quite surprised if the hacker were not associated with them, and allied with the marchers.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.