What happened at VeriSign?

VeriSign's latest 10Q report has an interesting paragraph in it. It says this:

We experienced security breaches in the corporate network in 2010 which were not sufficiently reported to Management.

In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System (“DNS”) network. Information stored on the compromised corporate systems was exfiltrated. The Company’s information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future.

The occurrences of the attacks were not sufficiently reported to the Company’s management at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011 and, following the review, the Company’s management concluded that our disclosure controls and procedures are effective. However, the Company has implemented reporting line and escalation organization changes, procedures and processes to strengthen the Company’s disclosure controls and procedures in this area. See Item 4 “Controls and Procedures” in Part I of this report.

Now VeriSign is essentially out of the digital certificate business, so it's unlikely that this is another example of a CA/RA being compromised. Instead, they really just focus on DNS for several of the Internet's top-level domains (.com, .edu, etc.), so if anything was affected, it woudl probably have been the integrity of DNS. But without further information from VeriSign, it's not clear exactly what happened. Maybe we'll find that out over the next few weeks.

Leave a Reply

Your email address will not be published. Required fields are marked *