GlobalSign says web server, not CA systems, hit by breach | SC Media
Breach

GlobalSign says web server, not CA systems, hit by breach

December 16, 2011

GlobalSign, a Portsmouth, N.H.-based certificate authority (CA) that briefly halted the issuance of SSL certs over fears it had been hacked, has determined its CA infrastructure was never compromised.

In addition, the company said in a statement Tuesday that it concluded its investigation and found no evidence of any bogus certificates being issued or customer data exposed.

During its probe, GlobalSign did confirm that a "peripheral web server" -- not connected to any CA systems -- had been breached, a finding that previously was believed to be true. As a result of that incident, the SSL certificate and key for www.globalsign.com was found to be compromised, and subsequently revoked.

"The breached web server was immediately locked down and subsequently rebuilt with a new disk and hardened system image," the company said.

Out of precaution, GlobalSign stopped issuing certs from Sept. 6 to 15, and all customer passwords were reset. That decision came following claims linked to recent attacks on CAs Comodo and DigiNotar. The so-called "Comodohacker" claimed responsibility for those breaches and said he has access to four other CAs, including GlobalSign.

GlobalSign maintains that its CA infrastructure was never touched, but said the web server breach may have been the first phase of an advanced persistent threat (APT) against its systems. The company has since bolstered its infrastructure and implemented new "swift" incident response plans.

"More than ever, we appreciate that the threat has evolved, and we are committed to ensuring no such outages occur again from future claims or attacks," the company said.

prestitial ad