VeriSign SEC Report Reveals 2010 Data Breaches

By CIOinsight  |  Posted 02-03-2012 Print Email
VeriSign didn't disclose that it had been successfully attacked several times in 2010 because the security team didn't tell management about the incidents until recently.

VeriSign, the company responsible for the .com, .net and .gov domain spaces, acknowledged in a recent filing with the Securities and Exchange Commission that it was hacked several times in 2010. The company had not disclosed the incidents at the time they occurred.

While VeriSign admitted to the breaches in its quarterly filing with the SEC back in October, the incident was not widely publicized until a Reuters report on Feb. 2. Reuters came across the information as part of its research on the new SEC guidelines for disclosing cyber-incidents, which was published in September.

The SEC recommended companies disclose any security issues that pose a risk for operations or incidents that can have material impact on the business.

"In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers," VeriSign reported in the quarterly filing.

The attackers successfully stole data during the breaches, and the company was "unable to assure" that the information was not or could not be used by the attackers. VeriSign claimed it has implemented new defensive measures to prevent similar incidents.

While VeriSign did not believe the attacks impacted the servers that are part of the Domain Name System (DNS) infrastructure, it was vague about what had happened or what was stolen. It is also not clear what defenses had been implemented and whether they were effective. "We cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information," VeriSign wrote in the 10-K filing.

It also appears the security team hid the breaches from VeriSign senior management when they occurred in 2010, and were not reported up the chain of command until September 2011, according to the SEC filing. "The occurrences of the attacks were not sufficiently reported to the Company's management at the time they occurred for the purpose of assessing any disclosure requirements," VeriSign claimed.

VeriSign did not respond to requests for comment from CIO Insight's sister publication eWEEK.



 

Submit a Comment

Loading Comments...