Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

FAQ about the VeriSign data breaches

A VeriSign filing with the Securities and Exchange Commission reveals that the company suffered more than one data breach in 2010, raising questions about how secure the company's products are and what customers should do about it.

Here are some of those questions and some answers.

THE DATA BREACH QUIZ

What happened?

VeriSign suffered multiple security breaches in 2010 in which data was stolen.

What was stolen?

VeriSign won't say.

Does it affect the DNS network the company supports?

VeriSign doesn't think so, but isn't sure.

Has the stolen information put VeriSign customers at risk?

It's hard to say since VeriSign is mum about what was stolen. However it does say it's not aware that any of the stolen data has been used, but isn't really sure.

What should customers of VeriSign do to be safe?

The possibilities range from assuming VeriSign would have told them if there were a serious problem so do nothing, to assuming the worst and dumping VeriSign for another provider. Without more specifics about what was stolen, it's hard to say what's best. Perhaps if they ask VeriSign directly they'll get more answers out of them than the company has given to the press, as was the case when RSA suffered a breach last year.

When exactly did this happen?

Sometime before Aug. 9, 2010 when Symantec bought some of VeriSign's business. Symantec says the breaches didn't occur after it bought those assets.

When was it reported to the SEC?

Fall 2011.

What took the company so long?

New SEC rules that required such reporting took effect in October 2011.

So VeriSign was forced into revealing the breaches by the SEC?

That and the fact that employees who knew about it didn't tell upper management about it until September 2011, or as VeriSign put it, "the attacks were not sufficiently reported to the Company's management."

Why is this coming to light now?

The news service Reuters turned it up when investigating what kinds of filings the new rules prompted.

Under the rules when is a breach serious enough to report?

The SEC guidelines don't go into specifics, but say in part: "Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky."

How much do companies have to tell the SEC?

The guidelines are lengthy but include this: "... if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition."

What is VeriSign doing about the problem?

According to its SEC filing, the company "may have to expend significant time and money to maintain or increase the security of our facilities and infrastructure." Even so, the company could fall prey to other attacks, the filing says. "It is possible that we may have to expend additional financial and other resources to address such problems."

What's so important about what VeriSign does, anyway?

It controls two of the Internet's 13 root DNS servers, so -- worst case -- if they are compromised and infect the other servers, it could become impossible to type in a URL and get where you want to go.

Anything else?

The company also issues SSL digital certificates that are supposed to ensure that Internet users are actually reaching the servers they intend to before making secure connections with them. If the system is compromised, criminals could use false certificates, masquerade as legitimate websites and steal valuable personal information about victims who are duped by the deception.

Why does that sound familiar?

It happened last year to certificate authorities Comodo and DigiNotar and wound up forcing DigiNotar into bankruptcy.

Will that happen to VeriSign?

Here's what the company told the SEC: "If we experience security breaches, we could be exposed to liability and our reputation and business could suffer."

Read more about wide area network in Network World's Wide Area Network section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Comodo, LAN, Reuters, RSA, SEC, Securities and Exchange Commission, Symantec, VeriSign
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Comodo, data breach, DigiNotar, security, VeriSign
Latest Blog Posts
Whitepapers
  • Spear Phishing Attacks - Why they are successful and how to stop them
    There's been a rapid shift from broad, scattershot attacks to advanced target attacks that have had serious consequences for victim organisations. The increased use of spear phishing is directly related to the fact that it works, as traditional security defences simply do not stop these types of attacks. This paper provides a detailed look at how spear phishing is used within advanced attacks and the key capabilities organisations need in order to effectively combat these emerging and evolving threats.
    Learn more »
  • Oracle SOA Suite – Oracle BPEL Process Manager
    Changing markets, increasing competitive pressures and evolving customer needs are placing greater pressure on IT to deliver greater flexibility and speed. In response to these challenges, leading companies are adopting Service-Oriented Architecture (SOA) as a means of delivering on these requirements by overcoming the complexity of their application and IT environments. Read on.
    Learn more »
  • Case Study - TNT Express successfully reduces their paper usage and costs using a new document solution
    in 2009 TNT decided to evaluate the market for new head office multifunction devices (MFD) as their current MFD fleet was almost seven years old. The objective was to reduce the number of devices and improve productivity, meet TNT’s future technical requirements and reduce the total cost of ownership of the equipment. They were also looking for a provider who would provide cost and service reporting as well as help streamline their electronic archiving requirements via the scanning of dockets and documents. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments