VeriSign admits it was hacked repeatedly in 2010, staff didn’t tell senior management

VeriSign hacked

VeriSignReuters has today revealed that internet giant VeriSign was hacked repeatedly during 2010.

VeriSign believes that the attacks did not breach the servers that support the firm’s Domain Name System (DNS) network, but has not ruled anything out.

Let us hope that VeriSign is right, as if the DNS network were breached it would potentially be bad news for many of the world’s websites – allowing cybercriminals to redirect users attempting to visit popular sites, and potentially infect surfers with malware and intercept communications.

According to a quarterly U.S. Securities and Exchange Commission filing made in October last year, but only highlighted by Reuters reporter Joseph Menn today, the company’s senior management team were not informed by their IT team about the security breaches until September 2011.

Here is the relevant section of VeriSign’s SEC filing:

SEC filing

We experienced security breaches in the corporate network in 2010 which were not sufficiently reported to Management.

In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System ("DNS") network. Information stored on the compromised corporate systems was exfiltrated. The Company’s information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future.

The occurrences of the attacks were not sufficiently reported to the Company's management at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011 and, following the review, the Company's management concluded that our disclosure controls and procedures are effective. However, the Company has implemented reporting line and escalation organization changes, procedures and processes to strengthen the Company's disclosure controls and procedures in this area.

Clearly something went very wrong inside VeriSign if the-powers-that-be were not informed of the breaches.

But at least the company is not now initiating a cover-up and has come clean about the security breaches – even though it is unclear as to the scope of the hacks and what data may have been exposed.

Inevitably there will be speculation that the attack could have been sponsored by a foreign state – but with the level of information shared so far it’s simply impossible to say.