Another Dutch CA confirms breach, stops issuing certificates

Another Certification Authority has admitted a breach into its systems and has decided to suspend the issuing of digital certificates as a precaution until more details are known about the intrusion.

Dutch-based KPN Corporate Market (formerly Getronics) is very similar to the now infamous DigiNotar. In fact, after the latter filed for bankruptcy following the widely publicized breach and subsequent revocation of its accreditation as a certificate provider, many of its customers flocked to KPN.

According to the company’s statement (Dutch version) the breach seems to have happened four years ago, and was discovered because the company initiated internal and external audits of its system following the recent spate of CA compromises.

So far, the investigation has uncovered that the server on which the company’s website is hosted has been breached and DDoS tool were installed on it. Since the discovery, the server has been replaced but KPN will wait until the final results of the external, independent investigation – due next week – are know to restart issuing certificates. In the meantime, the Dutch government has been notified of the issue.

KPN says that although there is no evidence that already issued certificates have been compromised, the possibility cannot be completely excluded.

“What’s particularly interesting about KPN’s statement is that it could be interpreted as them saying already issued certificates will remain valid (no matter what). KPN is a much bigger certificate authority than Diginotar. Possibly, people could be going into this with the idea of KPN being too big too fall,” commented Kaspersky Lab expert Roel Schouwenberg. “One of the questions that should also be answered is how a DDoS tool went undetected for four years. However, as companies are ramping up internal security I fully expect to see more ‘old breaches’ like this one uncovered.”