Lawsuit Alleges Symantec Failed to Disclose Hack of Antivirus Program

If hackers steal the source code to a software company’s antivirus and remote-access programs, can the company continue to sell the compromised software without informing customers of the hack?

The complaint alleges that the software company failed to take any proactive measures to protect the security and functionality of its software.

A lawsuit filed against software giant Symantec, the makers of pcAnywhere and the popular Norton Antivirus suite of software products, presents this question to a federal district court in San Jose, California.

On April 22, 2013, a customer of Symantec filed a putative class action lawsuit against the company arising out of the 2006 hack of Symantec by the Lords of Dharmaraja, the India-based chapter of the global hacker collective known as Anonymous. According to the complaint, the Lords of Dharmaraja infiltrated Symantec’s computer network sometime in 2006 and stole the source code for several of its products including pcAnywhere, Norton Antivirus Corporate Edition, Norton Internet Security, and Norton SystemWorks.

As alleged in the lawsuit, Symantec suspected in 2006 that its network had been breached and its source code stolen, but the company did not disclose the hack to its customers. Furthermore, the complaint alleges that the software company failed to take any proactive measures to protect the security and functionality of its software until hackers publically revealed the breach in early 2012.

The lawsuit contends that, with the source code in hand, hackers can readily access computer systems without authorization, install malware and viruses, and leave software users vulnerable to data breaches and identity theft.

The allegations contained in the complaint reveal the risks that corporations face in negotiating with hackers. On January 4, 2012, the Lords of Dharmaraja posted on pastebin.com what they claimed was confidential documentation pertaining to Norton Antivirus source code. YamaTough, the pseudonym of the hacker who posted the documents, published at least two more documents on Google+ containing the source code of Symantec software products.

Symantec initially denied that its internal network had been hacked, instead reporting that the hackers stole the source code from servers in India’s military and intelligence government agencies. The complaint alleges that Symantec engaged in private email negotiations with YamaTough for a $50,000 payout in exchange for destroying the stolen source code and not publishing any more of it on the internet.

As part of the proposed deal, Symantec allegedly required the hackers to proclaim that they lied about hacking into Symantec’s network and stealing the source code. The negotiations between YamaTough ultimately broke down and the hackers published the pcAnywhere source code on the internet.

YamaTough publically stated that the Lords of Dharmaraja never intended to make a deal with Symantec and told Reuters that, “we tricked them into offering us a bribe so we could humiliate them.”

On January 17, 2012, Symantec revealed publically for the first time that during 2006 hackers infiltrated its network and stole the source code for several of its products.

The suit accuses Symantec of breach of contract, breach of warranty, and failure to comply with California laws intended to protect consumers.

The lawsuit seeks to recover the price paid by customers for each purchase, lease, or license of the compromised Symantec products. In addition, the suit seeks punitive damages against the company because Symantec allegedly acted with reckless disregard to the rights and interests of its customers.

To date, Symantec has not offered any form of reimbursement to its customers who purchased the compromised software products.