GlobalSign® Corporate Information

Incident Response

September 11 2011, 4pm GMT - We thank everyone again for your continued support during the reactivation process. We will be bringing system components back on line on monday during a sequenced startup, but we do not foresee that customers will be able to process orders until Tuesday morning. We sincerely apologise for the extra delay. More updates will follow if the situation changes.

---

 

September 10 2011: GlobalSign is working with Cyber Defense Institute Japan (http://www.cyberdefense.jp/en/) as part of the reactivation process.

---

 

September 09 2011, 7pm GMT - Today we found evidence of a breach to the web server hosting the www website. The breached web server has always been isolated from all other infrastructure and is used only to serve the www.globalsign.com website. At present there is no further evidence of breach other than the isolated www web server. As an additional precaution, we continue to monitor all activity to all services closely. The investigation and high threat approach to returning services to normal continues.

All forensics are being shared with the authorities and other CAs to assist with their own investigations into other potentially related attacks.

---

 

September 09 2011, 2pm GMT- We have received several requests to explain terminology used by CAs, particularly what is meant by the GlobalSign root being offline. By "offline" we mean that the Root CA Certificate is not connected to any network of any type. Root Key Material is physically (geographically) separate from any networked systems and is only ever exercised in controlled, and physically sealed offline ceremonies.

---

 

September 08 2011, 5:25pm GMT: Update - We will start bringing services back online on Monday. We have already stated that we deem this to be an industry wide threat due to the mention of multiple CAs. We are adopting a high threat approach to bringing services back online and we are working with a number of organisations to audit the process of bringing the services back online. We apologise again for the delay.

We would like to take the opportunity to explain that the GlobalSign CA root was created offline, and always has been offline. Any claim of the Comodohacker to holding a private key does not refer to the GlobalSign offline root CA. The investigation also continues.

---

 

September 08 2011, 4pm GMT: Update - We deem these claims to represent an industry wide attack. At this time we continue with our investigation and precautionary measures. We thank our customers, and the industry as a whole, for supporting the difficult decision to halt issuance while these steps are taken. We will update again as soon as we release a defined timeline to reactivate our services.

---

 

September 07 2011: 5pm GMT: Update - The appointment of Fox-IT is a precautionary measure as we continue to assess the Comodohacker's claims.

---

 

September 07 2011: Today, GlobalSign has officially announced the appointment of Fox-IT to assist with investigations into the claimed breach. Fox-IT is the Dutch cybersecurity experts hired to investigate the compromise of the Dutch CA DigiNotar and therefore already have a wealth of current knowledge and experience of the hacker.

---

 

September 06 2011: On Sep 5th 2011 the individual/group previously confirmed to have hacked several Comodo resellers, claimed responsibility for the recent DigiNotar hack. In his message posted on Pastebin, he also referred to having access to 4 further high profile Certificate Authorities, and named GlobalSign as one of the 4.

GlobalSign takes this claim very seriously and is currently investigating. As a responsible CA, we have decided to temporarily cease issuance of all Certificates until the investigation is complete. We will post updates as frequently as possible.

We apologize for any inconvenience.