Dutch CA Files for Bankruptcy After Security Breach
Dutch certificate authority DigiNotar has closed its doors, less than a month after news broke about the security breach in which fake digital certificates were issued for high-profile Web sites.
DigiNotar filed for voluntary bankruptcy, parent company Vasco Data Security said on Sept. 20. A trustee will oversee the process and all assets will be folded into Vasco, the company said.
The company's internal systems were compromised in June and attackers managed to generate over 500 fraudulent security certificates, including Google, Facebook, Twitter, Microsoft and Skype. These certificates could be used to impersonate Websites and intercept user information.
After the news broke, Microsoft, Mozilla, Google and other companies revoked all DigiNotar certificates from the trusted list. "It's game over for DigiNotar. Very soon they will officially no longer be a valid entity to issue certificates," Andrew Storms, director of security operations for nCircle, told eWEEK at the time.
It's believed that at least one was used to eavesdrop on the Google email accounts of about 300,000 people in Iran. The attack was uncovered on July 19, but DigiNotar did not successfully revoke all the fake certificates.
"The firm lost all trust when when it was discovered that it had known that it had suffered a security breach weeks before coming clean about the problem," Graham Cluley, a senior technology consultant at Sophos, wrote on the Naked Security blog.
An initial foreniscs report found that the attackers had almost total access to the company's network. A person claiming responsibility for the DigiNotar incident also said four other certificate authorities had been compromised.
"We are working to quantify the damages caused by the hacker's intrusion into DigiNotar's system and will provide an estimate of the range of losses as soon as possible, " said Vasco in a statement.
Vasco said its network and systems were separate from DigiNotar and remained secure.
DigiNotar is not the first company forced out of business because of a cyber-attack, F-Secure CTO Mikko Hypponen wrote on the News from the Lab blog. He listed an Australian hosting provider, Distribute.IT, who didn't have any recoverable backups and couldn't recover after being hacked. Angry spammers launched distributed denial-of-service attacks against an anti-spam company outfit called Blue Frog and forced it to close.