Judge Tosses Symantec Source Code Data Breach Lawsuit


A class-action lawsuit stemming from a 2006 Symantec source code data breach has been tossed out of federal court on technical grounds.

U.S. District Court Judge Jon S. Tigar dismissed the lawsuit last week. It had claimed that users of Symantec's pcAnywhere, Norton SystemWorks, Norton AntiVirus Corporate Edition and Norton Internet were harmed by the source code leak because the products may have contained exposed code from the 2006 breach. According to court documents obtained by CRN, the lawsuit, filed on behalf of Texas resident Kathleen Haskins, claimed users "were deprived of the benefit of their bargain because they did not receive a fully functional Symantec product."

Symantec acknowledged last year that its network may have been breached in 2006, enabling an attacker to gain access to the source code of many of its products. The breach came to light following an extortion attempt by an India-based chapter of hacker collective Anonymous warning that it would expose the information if it wasn't paid a fee. Following additional contact with the group, Symantec advised customers to disable pcAnywhere components and urged users of the remote access software to use additional safeguards. The company has since issued software updates that included a "redesigned security model," addressing vulnerabilities exposed by the breach.

[Related: Verizon Analysis: Top 10 Causes Behind Data Breaches]

The source code of outdated Norton AntiVirus Corporate Edition, Norton Internet Security and SystemWorks also was leaked, but Symantec said the leaked 2006-era software source code posed no risk to current Norton customers. The 2006 version of Norton Utilities is no longer sold or supported, the Mountain View, Calif., firm said.

"The current version of Norton Utilities has been completely rebuilt and shares no common code with Norton Utilities 2006," Symantec said in a statement on its website. "The code that has been posted for the 2006 version poses no security threat to users of the current version of Norton Utilities. Furthermore, we have no indications that the posting of this old code impacts the functionality or security of any other Symantec or Norton solutions."

Symantec acknowledged that the Norton AntiVirus Corporate Edition code that was leaked represented less than 5 percent of the pre-release source for its Symantec AntiVirus 10.2 product.

Judge Tigar tossed the lawsuit Aug. 23, citing an issue with the names of the Symantec products. The lawsuit swapped the names of Norton Internet Security and Norton Antivirus. He also said the lawsuit failed to make clear the relationship between Norton AntiVirus and Norton Internet Security, which had been affected by the breach, but said Haskins could file an amended complaint within 21 days of the dismissal.

"Plaintiff has not demonstrated her standing to bring this action, and the complaint must be dismissed," Tigar wrote in the court order granting Symantec's motion to dismiss the case.

Security experts said the biggest threat from the breach was man-in-the-middle attacks targeting the exposed pcAnywhere services. A successful attack could enable cybercriminals to view a remote session and potentially steal sensitive data.

The pcAnywhere components had been contained in a variety of Symantec products. Security guidance (.PDF) issued by Symantec urged users of the remote access software to consider using remote sessions via secure VPN tunnels. The company listed general best practices and urged its Altiris customers to review pcAnywhere logs within the Symantec Management Console.

PUBLISHED AUG. 27, 2013