Symantec (NASDAQ:SYMC), a leading producer of anti-virus, anti-spyware and Internet security solutions, has found itself on the wrong side of a highly publicized security breach. The company was hacked in 2006 — with source code for several of its most popular products reported stolen — but it didn’t disclose the incident until last week, which has raised eyebrows and put the company on the defensive.
In an official report published on Jan. 23, Symantec acknowledged that its network and some products had been compromised:
“Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006. We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.”
The company went on to suggest that pcAnywhere customers disable the product until a patch could be released, then announced on Jan. 30 that the current version of the software, combined with a new patch, was now safe for use. It also offered free upgrades to users of previous versions of pcAnywhere. Users of the other Symantec products listed are not considered to be at risk because the code used in current versions is significantly different from the 2006 source code.
Two issues have the potential to damage Symantec:
Product Effectiveness. Symantec is one of the biggest names in computer security. It produces many of the top-selling security products for Windows, Mac and enterprise systems and is also targeting smartphone users. The company’s customers have to wonder how effective its products are if Symatec itself can be hacked — and not just in a trivial manner but to the extent that source code for multiple products was stolen from its servers. This is a perfect opportunity for rivals to capitalize on Symantec’s missteps, while some potential customers are likely to question whether spending money on security products is worth the cost.
Trust. Symantec has come under fire before, accused of fear-mongering about the threat posed by hackers or trying to up-sell customers on its products. By not notifying customers of the security breach until hacker group Anonymous forced its hand by publicly bragging about the theft — which Anonymous attributed to another hacker group, Lords of Dharmaraja — Symantec’s reputation took a hit. Either Symantec knew or suspected it had been hacked back in 2006 and chose to sit on that information or it had no idea and just realized the intrusion after the Anonymous pronouncement. Either way, it appears that a large number of Symantec customers have been vulnerable to attack for years. Again, this is a perfect opportunity for rivals to capitalize on Symantec’s stumble.
Taking the unusual step of publicly recommending that its customers stop using pcAnywhere, acting quickly to patch the security holes in its products and offering free upgrades to customers (even those using outdated versions) was the right move in terms of regaining customer trust.
It’s too early at this point to predict whether these events will affect sales of Symantec products, but so far the market hasn’t reacted negatively. Symantec’s shares have risen steadily from the $15 range in December to just over $17. On Jan. 25, the company reported third-quarter 2012 revenue of $1.72 billion, an increase of 6.9% from the previous year, marking a sixth consecutive quarter of meeting or exceeding earnings and revenue projections. Stay tuned to see if Symantec manages a seventh despite all the negative publicity.
