"Oh my God," said Stewart Baker, former assistant secretary of the Department of Homeland Security and before that the top lawyer at the National Security Agency. "That could allow people to imitate almost any company on the Net."
The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October that followed new guidelines on reporting security breaches to investors. It was the most striking disclosure to emerge in a review by Reuters of more than 2,000 documents mentioning breach risks since the SEC guidance was published.
And this one:
Ken Silva, who was VeriSign's chief technology officer for three years until November 2010, said he had not learned of the intrusion until contacted by Reuters. Given the time elapsed since the attack and the vague language in the SEC filing, he said VeriSign "probably can't draw an accurate assessment" of the damage.
I've met Ken several times while he was CTO of (the whale) VGRS and I was CTO of (a minnow) CORE. I think his assessment (VGRS's inability to draw an accurate assessment at the point in time it disclosed the breach to the SEC) is likely to be correct.
I've no idea if this was disclosed to ICANN and/or the DoC as part of the .net contract renewal. The notion that the duty of disclosure by publicly traded corporations of operational failure extends to SEC, for the protection of investors, and no further, comes as a surprise. This is the dot after all.