Hacked security firm closes its doors
- 20 September 2011
- From the section Technology
Dutch security firm DigiNotar has filed for voluntary bankruptcy following a series of attacks by a hacker.
The attackers penetrated DigiNotar's internal systems and then issued fake security certificates so they could impersonate web firms.
The certificates are believed to have been used to eavesdrop on the Google email accounts of about 300,000 people.
The hacker behind the attacks claims to have penetrated four other firms that issue security certificates.
DigiNotar's parent company Vasco Data Security said the firm had been put into voluntary bankruptcy. A trustee for the business has been appointed who will oversee the winding up of DigiNotar.
The scale of the attack on DigiNotar began to be uncovered on 19 July when the firm said it first found evidence of an intrusion. It started to revoke certificates and an investigation was carried out to find out how much damage had been done.
An initial report found that hundreds of fake certificates had been issued and hackers had almost total access to DigiNotar's network.
The security certificates it and many other firms issue act as a guarantee of identity so people can be sure they are connecting to the site they think they are.
The fake certificates DigiNotar revoked were for some of the biggest net firms including Google, Facebook, Twitter and Skype.
It is thought the fake certificates for Google were used in Iran to peep at the email accounts of about 300,000 people.
Soon after discovering the attack, DigiNotar stopped issuing certificates altogether. Once wound up, its business and assets will be folded into Vasco.
"We are working to quantify the damages caused by the hacker's intrusion into DigiNotar's system and will provide an estimate of the range of losses as soon as possible, " said Vasco in a statement.
It added that its network and systems remained separate from DigiNotar and, as a result, "there is no risk for infection of Vasco's strong authentication business".
Writing on the Sophos blog, Graham Cluley said few people would shed tears over the closure.
"The firm lost all trust when it was discovered that it had known that it had suffered a security breach weeks before coming clean about the problem," he said.