A VeriSign filing with the Securities and Exchange Commission reveals that the company suffered more than one data breach in 2010, raising questions about how secure the company's products are and what customers should do about it.
Here are some of those questions and some answers.
VeriSign suffered multiple security breaches in 2010 in which data was stolen.
What was stolen?
VeriSign won't say.
Does it affect the DNS network the company supports?
VeriSign doesn't think so, but isn't sure.
Has the stolen information put VeriSign customers at risk?
It's hard to say since VeriSign is mum about what was stolen. However it does say it's not aware that any of the stolen data has been used, but isn't really sure.
What should customers of VeriSign do to be safe?
The possibilities range from assuming VeriSign would have told them if there were a serious problem so do nothing, to assuming the worst and dumping VeriSign for another provider. Without more specifics about what was stolen, it's hard to say what's best. Perhaps if they ask VeriSign directly they'll get more answers out of them than the company has given to the press, as was the case when RSA suffered a breach last year.
When exactly did this happen?
Sometime before Aug. 9, 2010 when Symantec bought some of VeriSign's business. Symantec says the breaches didn't occur after it bought those assets.
When was it reported to the SEC?
What took the company so long?
New SEC rules that required such reporting took effect in October 2011.
So VeriSign was forced into revealing the breaches by the SEC?
That and the fact that employees who knew about it didn't tell upper management about it until September 2011, or as VeriSign put it, "the attacks were not sufficiently reported to the Company's management."
Why is this coming to light now?
The news service Reuters turned it up when investigating what kinds of filings the new rules prompted.
Under the rules when is a breach serious enough to report?
The SEC guidelines don't go into specifics, but say in part: "Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky."
How much do companies have to tell the SEC?
The guidelines are lengthy but include this: "... if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition."
What is VeriSign doing about the problem?
According to its SEC filing, the company "may have to expend significant time and money to maintain or increase the security of our facilities and infrastructure." Even so, the company could fall prey to other attacks, the filing says. "It is possible that we may have to expend additional financial and other resources to address such problems."
What's so important about what VeriSign does, anyway?
It controls two of the Internet's 13 root DNS servers, so -- worst case -- if they are compromised and infect the other servers, it could become impossible to type in a URL and get where you want to go.
The company also issues SSL digital certificates that are supposed to ensure that Internet users are actually reaching the servers they intend to before making secure connections with them. If the system is compromised, criminals could use false certificates, masquerade as legitimate websites and steal valuable personal information about victims who are duped by the deception.
Why does that sound familiar?
It happened last year to certificate authorities Comodo and DigiNotar and wound up forcing DigiNotar into bankruptcy.
Will that happen to VeriSign?
Here's what the company told the SEC: "If we experience security breaches, we could be exposed to liability and our reputation and business could suffer."