If VeriSign didn't legally have to report it in the 10K filing, would we ever have heard about it? Mistakes happen and the CAs who got breached and publicly disclosed the event have weathered the storm. The CAs who delayed or tried to hide the breach have generally gone out of business. VeriSign may have been the first CA on the internet but that doesn't excuse the lack of public disclosure at the time of the event. Shame they have enough of the SSL protected internet held hostage that we can't simply remove them from the web browser's trusted list.