Home / Blogs

World Notices That Verisign Said Three Months Ago That They Had a Security Breach Two Years Ago

John Levine

The trade press is abuzz today with reports about a security breach at Verisign. While a security breach at the company that runs .COM, .NET, and does the mechanical parts of managing the DNS root is interesting, this shouldn't be news, at least, not now.

Since Verisign is a public company, they file a financial report called a 10-Q with the SEC every quarter. According to the SEC's web site, Verisign filed their 10-Q for June through September 2011 on October 28th. where it's been available to the public ever since.
Like every other 10-Q, it has a Risk Factors section which lists all the reasons that the company might fail, so don't sue us. Normally those sections are pretty routine, key employees might quit, customers might desert us, key contracts might not be renewed, that sort of stuff. But this 10-Q contained this bit:

We experienced security breaches in the corporate network in 2010 which were not sufficiently reported to Management.

In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System ("DNS") network. Information stored on the compromised corporate systems was exfiltrated. The Company's information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future. The occurrences of the attacks were not sufficiently reported to the Company's management at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011 and, following the review, the Company's management concluded that our disclosure controls and procedures are effective. However, the Company has implemented reporting line and escalation organization changes, procedures and processes to strengthen the Company's disclosure controls and procedures in this area.

Apparently nobody got around to reading it until today, at least nobody who understands the business well enough to know what it means.

All the press reports I've seen just regurgitate that paragraph, adding a few quotes from people close to Verisign who all said they didn't know about it either, and security types who told us that it's an enormous big deal. (Now that you've read the paragraph, you're as qualified to pontificate as anyone.)

Personally, I don't know if it's an enormous big deal or not. Risk factor sections tend to be written as pessimistically as possible, so you can skip over the parts about they cannot assure you and so forth. One thing I do know is that it happened over a year ago, so if anything significant happened as a result, and Verisign knew about it, they'd have told us about that, too, on the principle that you release all your bad news at once. So this means that either it really was just a minor network breach, or the evil consequences are so deep and subtle that we may not know about them for years and years, if ever. I'd tend toward the former, but then, I'm not a Verisign stockholder.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Cyberattack, DNS, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


If I understand correctly... Kevin Murphy  –  Feb 02, 2012 11:35 PM PST

So, in summary, you're questioning the value of articles that merely block-quote the SEC filing and pad it out with useless commentary?

you forgot "the three month old SEC John Levine  –  Feb 03, 2012 6:58 AM PST

you forgot "the three month old SEC filing"

To post comments, please login or create an account.

Related Blogs

Related News


Industry Updates – Sponsored Posts

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

What's in Your Attack Surface?

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

LogicBoxes Announces Automation Solutions for ccTLD

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Video Interviews from ICANN 50 in London

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Sponsored Topics



Sponsored by


Sponsored by

DNS Security

Sponsored by
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines