VeriSign Management Was 'Out of the Loop' About 2010 Data Breaches

VeriSign didn't disclose that it had been successfully attacked several times in 2010 because the security team didn't tell management about the incidents until recently.

VeriSign, the company responsible for the .com, .net and .gov domain spaces, acknowledged in a recent filing with the Securities and Exchange Commission that it was hacked several times in 2010. The company had not disclosed the incidents at the time they occurred.

While VeriSign admitted to the breaches in its quarterly filing with the SEC back in October, the incident was not widely publicized until a Reuters report on Feb. 2. Reuters came across the information as part of its research on the new SEC guidelines for disclosing cyber-incidents, which was published in September.

The SEC recommended companies disclose any security issues that pose a risk for operations or incidents that can have material impact on the business.

"In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers," VeriSign reported in the quarterly filing.

The attackers successfully stole data during the breaches, and the company was "unable to assure" that the information was not or could not be used by the attackers. VeriSign claimed it has implemented new defensive measures to prevent similar incidents.

While VeriSign did not believe the attacks impacted the servers that are part of the Domain Name System (DNS) infrastructure, it was vague about what had happened or what was stolen. It is also not clear what defenses had been implemented and whether they were effective. "We cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information," VeriSign wrote in the 10-K filing.

It also appears the security team hid the breaches from VeriSign senior management when they occurred in 2010, and were not reported up the chain of command until September 2011, according to the SEC filing.

"The occurrences of the attacks were not sufficiently reported to the Company's management at the time they occurred for the purpose of assessing any disclosure requirements," VeriSign claimed.

VeriSign did not respond to eWEEK's requests for comment.

"VeriSign has been the gold standard for authentication, how users know that they can trust another party or system-but far from the gold standard on disclosure and response," said Jonathan Gossels, president of SystemExperts. It is "unfathomable" that the incidents were suppressed for more than a year, he said.

The process broke down when the security team didn't keep the senior managers in the loop, said Mandeep Khera, CMO of LogLogic. By not notifying senior management, breach notification regulations were also bypassed, Khera said.

The attacks against VeriSign "shouldn't surprise anyone" as attackers are increasingly focusing their energies against the Secure Sockets Layer (SSL), said Rob Rachwald, director of security strategy at Imperva. The attacks will reach a "tipping point," at which point there will be a serious discussion about real alternatives for securing Web communications, he said.

VeriSign's authentication business, which includes generating SSL certificates, was acquired in May 2010 by Symantec for $1.28 billion. The deal was finalized Aug. 9, 2010. VeriSign's DNS servers process billions of Web queries and direct Internet users to the correct Website. It ensures the integrity of .com, .net and .gov domains.

Symantec insists that the SSL business is secure. "The Trust Services (SSL), User Authentication (VIP, PKI, FDS) and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing," Symantec said in an emailed statement.

"If the DNS network were breached it would potentially be bad news for many of the world's websites-allowing cyber-criminals to redirect users attempting to visit popular sites and potentially infect surfers with malware and intercept communications," Graham Cluley, a senior technology consultant with Sophos, wrote on the Naked Security blog.

Shortly after the DigiNotar breach in July, which was disclosed in September, Mozilla sent letters to major certificate authorities (CAs) to demand they audit their networks and assure the systems remain secure from attackers. Mozilla implied that failure to comply with the request would result in the CA being removed as a trusted authority from Firefox.

Symantec had told Mozilla at the time that it was confident the systems had not been affected by recent breaches, Fran Rosch, vice president of Trust Services at Symantec, told eWEEK Sept. 9. The company has invested in "the most robust and scalable" certificate authentication, issuance, management and hierarchy infrastructure in the industry, according to Rosch. "Our VeriSign, Thawte, GeoTrust and RapidSSL roots remain secure," Rosch said.

As there appears to be no immediate threat against Firefox users as a result of this disclosure, Mozilla does not plan on taking any action at this time, Mozilla said via email.