Another certificate authority admits suffering a data breach

Feb 3, 2012 09:58 GMT  ·  By

Last year, we witnessed a lot of unfortunate incidents regarding certificate authorities and the trust factor seems to fade with each hack attack targeting these companies. Now, it turns out that even Symantec-owned Verisign suffered multiple data breaches back in 2010.

A quarterly report filed by the company with the United States Securities and Exchange Commission (SEC) reveals that the company was successfully attacked multiple times in 2010, the hackers obtaining access to information stored on some of their computers and servers.

Fortunately, the breach didn’t affect the servers that support their DNS network and the information stored on the compromised systems was exfiltrated.

“The Company’s information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks,” the report reads.

“However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future.”

Furthermore, the attacks were not disclosed to the company’s management until 2011, after the incidents were investigated and it was determined that there was no need to publicly disclose related information.

While the company claims it has implemented changes to procedures and processes in order to strengthen the controls and procedures dictating the way disclosures are made, it’s highly unfortunate that these situations occur in the first place.

Last year, the attack that targeted DigiNotar caused a lot of concern among users and all major vendors were forced to take immediate action to make sure their customers were not exposed to cybercriminal operations.

Even though many similar companies claim that smaller breaches didn’t affect their work flow or the products they deliver, when digital certificates are involved, you can never know for sure.