VeriSign admits it was hacked repeatedly in 2010, staff didn't tell senior management

Filed Under: Data loss, Featured, Vulnerability

VeriSignReuters has today revealed that internet giant VeriSign was hacked repeatedly during 2010.

VeriSign believes that the attacks did not breach the servers that support the firm's Domain Name System (DNS) network, but has not ruled anything out.

Let us hope that VeriSign is right, as if the DNS network were breached it would potentially be bad news for many of the world's websites - allowing cybercriminals to redirect users attempting to visit popular sites, and potentially infect surfers with malware and intercept communications.

According to a quarterly U.S. Securities and Exchange Commission filing made in October last year, but only highlighted by Reuters reporter Joseph Menn today, the company's senior management team were not informed by their IT team about the security breaches until September 2011.

Here is the relevant section of VeriSign's SEC filing:

SEC filing

We experienced security breaches in the corporate network in 2010 which were not sufficiently reported to Management.

In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System ("DNS") network. Information stored on the compromised corporate systems was exfiltrated. The Company’s information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future.

The occurrences of the attacks were not sufficiently reported to the Company's management at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011 and, following the review, the Company's management concluded that our disclosure controls and procedures are effective. However, the Company has implemented reporting line and escalation organization changes, procedures and processes to strengthen the Company's disclosure controls and procedures in this area.

Clearly something went very wrong inside VeriSign if the-powers-that-be were not informed of the breaches.

But at least the company is not now initiating a cover-up and has come clean about the security breaches - even though it is unclear as to the scope of the hacks and what data may have been exposed.

Inevitably there will be speculation that the attack could have been sponsored by a foreign state - but with the level of information shared so far it's simply impossible to say.

, , ,

You might like

7 Responses to VeriSign admits it was hacked repeatedly in 2010, staff didn't tell senior management

  1. John · 1303 days ago

    This has much to do with the SEC guidance issued on October 13, 2011. See:

    And here's why this is important:

  2. esskayhombre · 1303 days ago

    So Symantec make the news for all the wrong reasons again.

  3. LPM · 1303 days ago

    Time for SSL to die anyways:

  4. Gavin · 1302 days ago

    I think this story highlights a larger issue.

    I would confidently bet that almost ALL companies with their own IT departments (from the very small to the multi-nationals) have issues with what's disclosed up the chain of command and what's not.

    What IT technician wants to spam his superiors the whole time about every concern he/she has? But eventually something will happen, the seriousness of which is not discovered until much later, or maybe not at all.

    It's easy for the media to jump on these sorts of happenings when they become public in noteworthy companies, but I would think that this is a problem endemic to just about any organisation with a computer network and some data on it to protect.

    -- Gavin

  5. Jonathon T · 1302 days ago

    I applaud companies when they admit a breach, but yes, many companies don't have the technology in place to detect breaches in a timely manner. Kudos to the ones who do and who immediately notify their customers of any breaches.

  6. I work for Symantec.

    To clarify, Verisign, Inc. was compromised, not the Verisign security product lines that were acquired by Symantec.

    Symantec was not compromised.

    For more info, you can read the Symantec Business Authentication blogpost here:

  7. I find it telling that at the end they state that they found their reporting procedures adequate, but decided to change them to address, I guess you could call the "lack of reporting". This almost says that they were implemented to provide a free "gimmee" to management should they get breeched. The fact that it was not reported, but only found by a diligent reporter examining the SEC filings, fits in with other things Verisign has done in the past, such as "Domain Slamming", where they sent notices to domain registrants making them believe their domains were expiring, when in reality, unbeknownst to the registrants, they were transferring their domains to Verisign. Another was when they implemented their "Site Finder" service, where, if people were to navigate to a site that didn't exist, instead of getting a domain not found error, they would be redirected to a search service run by Verisign.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley