Two well-known companies — Cisco Systems Inc. and Wells Fargo & Co. — found themselves this week dealing with the aftermath of apparent security breaches that in both cases were embarrassingly similar to incidents both confronted only months earlier.
For the second time this year, Cisco said it is looking into the possibility that source code may have been stolen. The latest incident came to light when an anonymous hacker group offered copies of Cisco’s PIX 6.3.1 firewall for sale in an online newsgroup early in the week.
In a terse note posted on its Web site, the network giant said it is “actively looking into the alleged claims by some Internet groups on the purported sale and general availability” of the source code. A spokeswoman declined to elaborate.
Meanwhile, Wells Fargo said three laptops and one desktop computer containing personal information about the bank’s borrowers were stolen from an Atlanta-based subcontractor for the San Francisco-based financial services company. The computers, stolen in early October, contained the names, addresses, loan numbers and Social Security numbers of thousands of borrowers, according to Wells Fargo spokesman Kevin Waetke.
Wells Fargo was able to “quickly identify” the customers affected by the theft and this week issued letters notifying them of the loss of information and of plans to provide free identity theft protection, Waetke said. “The customers were notified as a precaution only. We have no indication any customer’s information has been compromised.”
This isn’t the first time this year that both companies have dealt with similar incidents.
In May, an 800MB portion of Cisco’s Internetworking Operating System code was illegally copied and posted on a foreign Web site for anyone to download for several days. The theft of the code, which is widely used in Cisco equipment, prompted fears of security threats to users. An arrest in the case was made in September in the U.K.
The actual risk posed to users by the apparent theft of Cisco’s PIX firewall source code is minimal, said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc. “Unless Cisco was taking shortcuts they were hoping no one would ever see, this should not be a big deal,” Pescatore said.
But the latest incident, like the previous one, does raise questions about how well protected Cisco’s source code really is, he said. “The main question is, if somebody could steal the source code from an internal server, they could also (compromise) it” in some other fashion, he said.
The net result from incidents such as this is that there’s a lot more source code becoming available for malicious hackers to go after, said Ken Dunham, a director at iDefense Inc. in Reston, Va.
In Wells Fargo’s case, the latest incident represents the third time in the past year that the bank has had to warn customers of potential ID theft issues as a result of security breaches. Both previous cases resulted from stolen laptops.
“These incidents continue to be isolated, and each has a different set of circumstances,” Waetke said. “We continue to learn from previous thefts of computers and want to ensure that affected customers are protected.”