Internet giant VeriSign suffered a series of data breaches in 2010 and even now senior executives are not sure exactly what was compromised, the company has admitted in a filing made to the Securities and Exchange Commission (SEC).
News of the previously unmentioned breaches has been uncovered by Reuters from 2,000 pages of documents filed on the subject of security as part of a regulatory disclosure last October.
From the few details mentioned in the Reuters report, it appears that staff became aware of the breaches but did not tell their bosses until September 2011, only weeks before the SEC itself was informed by the company.
What was taken and precisely when could turn out to be the critical missing element of the story.
Verisign sold its critical SSL, Code Signing Certificate Services, and Managed Public Key Infrastructure (MPKI) Services to Symantec in August 2010, which raises the possibility that one of these might have been compromised before that date.
If so, it would be another part of a larger story in which the SSL certificate systems of a number of large companies were hacked and compromised during 2010 and 2011, undermining a certificate business that forms the hub of Internet security.
Victims have included Comodo, Diginotar, GlobalSign, KPN, and Digicert Malaysia; adding a company as important as VeriSign to that list would be a disturbing development. RSA’s SecurID token system was also attacked.
"There is no indication that the 2010 corporate network security breach mentioned by VeriSign was related to the acquired SSL product production systems," Reuters quoted Symantec spokeswoman Nicole Kenyon as saying by way of reassurance.
Any attacker getting their hands on genuine SSL certificates would be able to impersonate websites as a way of tricking users, or other servers, into connecting to them. SSL security is utterly fundamental and a loss of trust in this infrastructure would be a disaster.
VeriSign also has responsibility for managing core elements of the global DNS system.
[VeriSign management ] "do not believe these attacks breached the servers that support our Domain Name System network," a company source was quoted as saying.