According to reports in the Wall Street Journal, former Nortel employee Brian Shields led an investigation and discovered the breach, but was prevented by company executives from taking any action.
Nortel, which has since declared bankruptcy and which was cleared by the Department of Justice to sell US$4.5 billion worth of patents to Apple, Microsoft and Research In Motion on Monday, was deeply penetrated by hackers, suspected of being from China.
Neil Roiter, research director for Corero Network Security, called the Nortel breach disturbing. But he said that Nortel’s alleged response was even more so. “Perhaps more disturbing, if the report is accurate, is the failure of Nortel to respond when the breach was discovered, and, less surprisingly, their failure to disclose it,” Roiter said. “Perhaps the danger was less clear eight years ago than it is now, but the continued failure of what was viewed as an innovative and sophisticated IT company to appreciate and address the risk is puzzling.”
Roiter predicted that new SEC guidelines will result in more disclosures, such as the news about the 2010 VeriSign data breach. Wisniewski said that while Nortel may have been ill-equipped to deal effectively with the data breach when it was discovered a decade ago, “They should have called law enforcement.” He said that when breaches are international in scope, as the Nortel breach clearly was, then the government is best equipped to deal with it.
Wisniewski said that only governments are really capable of providing the resources to share data regarding several threats and determine patterns, “A lot of information sharing needs to happen to fight these. Only our governments have the ability to share and take action. It’s important that more of these organizations should involve law enforcement,” he said.
Wisniewski said that because Nortel chose not to ask for help or otherwise deal with the breach of its security, it’s unlikely that the attacker will ever be identified. However, he noted that it’s virtually certain that a vast amount of intellectual property was compromised.