Verisign has admitted in an SEC filing that it suffered numerous data breaches in 2010, but that management wasn’t informed by staff for nearly a year after they occurred. In the 10-Q filing, the company said that it suffered multiple data breaches during 2010, and that data was stolen. Exactly what is missing the company isn’t …
"management wasn’t informed by staff for nearly a year after they occurred."
Doesn't sound very likely.
“The Company’s information security group was aware of the attacks shortly after the time of their occurrence
Really? Then how come senior mgt weren't aware?
I smell bullshit.
Not a BOFH . . .
If it were a BOFH, management would never have found out about it, and they probably would have wound up down a well somewhere or crushed in a lift. Knowing Symantec, those responsible more closely resemble Laurel and Hardy than Simon and the PFY and did not tell management lest they be terminated.
re: doesn't sound very likely.
>> management wasn’t informed by staff for nearly a year after they occurred.
> Doesn't sound very likely.
What doesn't sound likely; Verisign was hacked or that, Verisign waited a year to tell anybody, if the latter then why doesn't it sound very likely?
Which bit of Verisign owns the root certificate for most of the known universe? Symantec's bit or the bit that (presumably) stayed under the Verisign name. Was that bit part of the attack?
This is somehow Microsoft's fault
DNS is so inherently insecure after all, if some hacker can steal sensitive data using vulnerabilities in Adobe products and transmit it pretending to be Windows Update, and spoof update.microsoft.com so instead of it going to an Akamai server network it goes to a botnet. And let's not forget how inherently insecure digital signatures are... even though there probably isn't a line of MS code being used at Verisign....
OK, I got it out of my system. Downvote away. It's 3 PM, I'm fried... :-)
Take your pick:
This story represents:
A) BS in butt-covering amounts
B) an disasterous level of employee communication and managerial control
One of the top security companies in the world gets hacked multiple times, and management doesn't know for a year?!
It shows excellent managerial control, but total lack of everything else.
Smells like bullshit. If a company is in the business of security (such as it is on the interwebs), they should know full well when they've been hacked/attacked.
They likely knew about that when it happened but covered it up to keep selling their brand of internet snake oil.
Anyone feel a sense of deja moo?
You know, that feeling you get when you've heard that bull before…?
While not on Diginotar proportions, it doesn't sound good.
This all begs the question...
...why have they decided to spill the beans now?
If they've kept is secret this long, why not continue that way?
Was there another security leak - this time an employee who was going to go public if they didn't?
Isn't this a sarbox violation?
If I remember the furore around Enron and the Sarbanes-Oxley legislation that was brought in afterwards, one of the key features was that the senior management was required to make sure they became aware of all risks to business continuity and the bottom line.
If the management was not aware they cannot hide behind that. They are still liable for criminal prosecution if the SEC takes the view that investors were not informed of the risk to the business in a timely manner.
Watch this space. If sarbox has teeth and the regulators are serious about keeping things under control then we can expect sanctions against the directors here.
That would be why they are announcing now.
Because they are announcing now and SEC hasn't gone after them yet, it doesn't count as a violation. Now if SEC had caught them and they still didn't know....