We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

VeriSign admits it was hacked in 2010 but managers not told

Buries disturbing news in SEC filing

Internet giant VeriSign suffered a series of data breaches in 2010 and even now senior executives are not sure exactly what was compromised, the company has admitted in a filing made to the Securities and Exchange Commission (SEC).

News of the previously unmentioned breaches has been uncovered by Reuters from 2,000 pages of documents filed on the subject of security as part of a regulatory disclosure last October.

From the few details mentioned in the Reuters report, it appears that staff became aware of the breaches but did not tell their bosses until September 2011, only weeks before the SEC itself was informed by the company.

What was taken and precisely when could turn out to be the critical missing element of the story.

Verisign sold its critical SSL, Code Signing Certificate Services, and Managed Public Key Infrastructure (MPKI) Services to Symantec in August 2010, which raises the possibility that one of these might have been compromised before that date.

If so, it would be another part of a larger story in which the SSL certificate systems of a number of large companies were hacked and compromised during 2010 and 2011, undermining a certificate business that forms the hub of Internet security.

Victims have included Comodo, Diginotar, GlobalSign, KPN, and Digicert Malaysia; adding a company as important as VeriSign to that list would be a disturbing development. RSA's SecurID token system was also attacked.

"There is no indication that the 2010 corporate network security breach mentioned by VeriSign was related to the acquired SSL product production systems," Reuters quoted Symantec spokeswoman Nicole Kenyon as saying by way of reassurance.

Any attacker getting their hands on genuine SSL certificates would be able to impersonate websites as a way of tricking users, or other servers, into connecting to them. SSL security is utterly fundamental and a loss of trust in this infrastructure would be a disaster.

VeriSign also has responsibility for managing core elements of the global DNS system.

[VeriSign management ] "do not believe these attacks breached the servers that support our Domain Name System network," a company source was quoted as saying.

IDG UK Sites

New iPhone 6 review: best ever iPhone is very good... but no longer the best phone you can buy

IDG UK Sites

Is Apple losing confidence in itself?

IDG UK Sites

Professional photo and video techniques for perfect colours

IDG UK Sites

How (and where) to buy an iPhone 6 or iPhone 6 Plus in the UK. Plus: What to do if you pre-ordered...