Verisign was repeatedly attacked in 2010 but the extent of what was stolen is unknown, and the company didn't even own up to it until late 2011.
Internet infrastructure giant VeriSign was the victim of numerous security breaches in 2010, which Reuters uncovered in a quarterly U.S. Securities and Exchange Commission filing in October. Information was stolen, but what or how much is unknown as VeriSign remains tight-lipped, saying only:
In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers ... We have investigated and do not believe these attacks breached the servers that support our Domain Name System ('DNS') network.
Even though the breaches were discovered in 2010, upper management wasn't notified until September 2011, says PCMag.com.
Security experts are having difficulty responding to the revelation as so much information is still unknown. Was the DNS network accessed? VeriSign's statement doesn't completely rule out the possibility. As TIME blogger Keith Wagstaff says: "I'd feel a lot better if they used the words ‘are certain' instead of ‘do not believe.'"
VeriSign used to be the world's largest SSL (secure socket layer) certificate issuing authority before selling the business to Symantec. Was a root SSL certificate compromised? Computerworld explains the risk:
If criminals did steal one or more SSL certificates, they could use them to conduct ‘man-in-the-middle' attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being secretly intercepted. Or they could use them to ‘secure'fake websites that seem to be legitimate copies of popular Web services, using the bogus domains to steal information or plant malware.
Wagstaff sums it up:
The fact that a company this big and this central to the Internet would wait so long to reveal it had been attacked is unacceptable.