Verisign Breached Several Times in 2010Company: Data Accessed, But Net Root Name Servers Unaffected
"We have investigated and do not believe these attacks breached the servers that support our Domain Name System network," Versign stated in a 10-Q quarterly report dated Oct. 28 and filed with the Securities and Exchange Commission, but not previously publicized.
Still, Verisign in the filing acknowledged that attackers had exfiltrated information stored on the compromised corporate system. The filing neither specified the type of information accessed nor how it might have been used by hackers. "The company's information security group was aware of the attacks shortly after the time of their occurrence, and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks," the filing said. "However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information."
Thursday night Eastern time, Verisign issued a statement reiterating that the servers that route Internet traffic were not affected by the breach:
"We have a number of security mechanisms deployed in our network to ensure the integrity of the zone files we publish. In 2005, Verisign engineered real-time validation systems that were designed to detect and mitigate both internal and external attacks that might attempt to compromise the integrity of the DNS. All DNS zone files were and are protected by a series of integrity checks including real-time monitoring and validation. Verisign places the highest priority on security and the reliable operation of the DNS."
In its SEC filing, Verisign characterized as effective its processes for the IT group to report breaches to top management, though it did change them after an investigation. "Management was informed of the incident in September 2011 and, following the review, the company's management concluded that our disclosure controls and procedures are effective," the filing said. "However, the company has implemented reporting line and escalation organization changes, procedures and processes to strengthen the company's disclosure controls and procedures in this area."
Verisign, in response to an e-mail query, did not provide further clarification of its IT security governance process.