Hackers stole data from VeriSign in 2010

VeriSign discloses in quarterly SEC filing that hackers stole data in successful attacks, but doesn't say what data was stolen.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Attackers repeatedly hacked VeriSign's network and stole information in 2010, the company revealed in a quarterly regulatory filing.

The Internet infrastructure provider did not disclose what information was stolen or other details of the attacks in its 10-Q report filed in October with the U.S. Securities and Exchange Commission that was reported on by Reuters today.

"In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers," the company wrote. "Information stored on the compromised corporate systems was exfiltrated."

The company said it did not believe attackers had breached the servers that run the domain name system (DNS) network, a key piece of infrastructure that directs people to the correct site when they type in a Web address. A compromise of the DNS system could allow attackers to redirect Web surfers to malicious sites or to intercept government or important e-mail communications.

The disclosure was in the "Risk factors" section of the filing, under a heading titled: "We experienced security breaches in the corporate network in 2010 which were not sufficiently reported to Management."

VeriSign's information security group was aware of the attacks shortly after they occurred, sometime in 2010, the filing said. Meanwhile, management was not informed until September 2011.

"Given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information," the filing said. "In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future."

Meanwhile, Symantec, which bought VeriSign's certificate business in summer 2010, said those products and services were not affected. "Symantec takes the security and proper functionality of its solutions very seriously," Symantec spokeswoman Nicole Kenyon said. "The Trust Services (SSL), User Authentication (VIP, PKI, FDS) and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing."

Asked for comment, VeriSign provided CNET this statement: "We cannot provide any further information than what is included in the 10-Q document Verisign filed on October 28, 2011."

Reuters discovered the VeriSign disclosure during an examination of more than 2,000 corporate documents that were filed since the SEC published new guidelines for reporting security breaches.

The disclosure is reminiscent of a public announcement RSA made last year of a "sophisticated" targeted cyberattack that led to data theft that put millions of customers of its SecurID authentication tokens at risk. There also were breaches at other certificate authorities, including GlobalSign, DigiNotar, and Comodo reported last year. And in 2010, Google went public with news that it had been the victim of a targeted attack, likely from China.

Updated at 1:10 p.m. PT with Symantec statement saying certificate business was not compromised or affected.