[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Nortel executives knew of data breach, chose to do nothing


By Wayne Rash
CSO Online
February 14, 2012

Former Nortel CEO Frank Dunn, now being tried for fraud, was among several senior company managers who were aware of a long-standing data breach into Nortel's computers systems, but chose to do nothing.

According to reports in the Wall Street Journal, former Nortel employee Brian Shields led an investigation and discovered the breach, but was prevented by company executives from taking any action.

Nortel, which has since declared bankruptcy, and which was cleared by the Department of Justice to sell $4.5 billion worth of patents to Apple, Microsoft and RIM on Monday, was deeply penetrated by hackers, suspected of being from China. Sophos Senior Security Advisor Chester Wisniewski wondered if those companies would have paid so much for the patents if they'd known the data was likely already compromised. "If the patents were known to have been potentially stolen or compromised, wouldn't they have to report that?" he asked.

Wisniewski criticized Nortel's response to the breach. "I think the response is shameful. It doesn't look like they really cared," he said. Wisniewski said that while many are blaming the Chinese government for the breach, there's really nothing to prove that China was really involved. While a Chinese Internet site seems to have been the destination for data stolen from Nortel, "Just because something appears to be from China doesn't mean it is," Wisniewski said.

Neil Roiter, research director for Corero Network Security, called the Nortel breach disturbing. But he said that Nortel's response was even more so. "Perhaps more disturbing, if the report is accurate, is the failure of Nortel to respond when the breach was discovered, and, less surprisingly, their failure to disclose it," Roiter said. "Perhaps the danger was less clear eight years ago than it is now, but the continued failure of what was viewed as an innovative and sophisticated IT company to appreciate and address the risk is puzzling."


Certified Ethical Hacker and CISSP training with Expanding Security gives
the best training and support.
Get a free live class invite weekly.  Best program, best price.