Symantec, in stressing that its own networks had not been breached but those of “a third party entity,” stated that it has “no indication that the code disclosure impacts the functionality or security of Symantec’s solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time."
This third party, according to YamaTough, is the Indian Military, an assertion that has some credibility since governments often require source code to ensure the software contains no spyware. But it may be less worrying than it might seem. It’s embarrassing, said data security firm Imperva. But “the implications of the anti-virus code leakage will not keep the Symantec folks awake too late at night, and certainly not their customers.” It really depends upon the full extent of the data loss. Most of an AV product is little more than a list of virus signatures, and the signature list becomes out of date within weeks.
Even if the stolen data includes Symantec’s own algorithms, Imperva pointed out that most of these have already been studied by the hackers writing viruses so that they can evade them. “If the source code is recent and hackers find serious vulnerabilities, it could be possible to exploit the actual anti-virus program itself. But that is a big if, and no one but Symantec knows what types of weaknesses hackers could find.”
Nevertheless, Symantec will need to provide detailed information on the cause and effect of this data loss to prevent its customers losing confidence in their products. In the meantime, the company said, “Symantec is working to develop a remediation process to ensure long-term protection for our customers’ information. We will communicate that process once the steps have been finalized. Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts.”