Dutch prosecutors said Tuesday they are investigating the Internet security company DigiNotar for possible criminal negligence after it was slow to disclose a hacking incident that likely helped the Iranian government spy on dissidents for a month.
A Dutch government review of the incident conducted by external information technology experts found that DigiNotar -- which sells security certificates guaranteeing the safety of websites -- had used weak passwords, failed to update software on its public servers and had no antivirus protection on its internal servers.
The review, published Monday, said dozens of websites were compromised.
Spokesman Ernst Koeman of the Netherlands' national prosecutor's office said Tuesday the investigation is in an early phase and he couldn't say whether criminal charges will be filed.
DigiNotar, the Dutch subsidiary of Chicago-based Vasco Inc., did not return phone calls seeking comment.
The company first acknowledged it had been hacked on Aug. 30, a day after Google publicly stated that fake and unauthorized DigiNotar certificates for Google sites were circulating in Iran. Google marked the company's certificates as dubious, and other web browser makers followed suit.
Only then did DigiNotar acknowledge being hacked on July 19, saying that hackers had issued fake certificates for "a number" of domains. The company said it believed it had withdrawn them all, but missed Google.
On Sept. 3, the Dutch government seized control of DigiNotar's operations, saying certificates the company had issued to guarantee the safety of numerous Dutch government websites could also no longer be relied on.
The external review by Fox-IT found that the company was actually hacked on June 17th and that hackers had issued 531 bogus certificates for 344 domains in all, including most major Internet communications companies.
The fake Google certificates had been used by 300,000 IP addresses, more than 99 percent of them in Iran.
Fox-IT and other experts concluded the hackers were helping the Iranian government spy on citizens who thought they were accessing Google email securely due to the bogus DigiNotar seal of approval.
"We are definitely going to look at whether this is negligence, whether this is culpable negligence by the company that they didn't report this," Interior Minister Piet Hein Donner said at a news conference late Monday.
The government also is investigating who was behind the hack, though that may be difficult to verify without help from Tehran.
An unknown person who claimed responsibility for a similar hack of U.S.-based Comodo Inc. in March claimed responsibility for the DigiNotar hack on Monday.
In a posting on Pastebin.com, "ComodoHacker" offered what he or she said was the user name and password for an administrator's account at DigiNotar as evidence.
The person, who used phrases in the Farsi language spoken in Iran in previous posts to Pastebin -- including a phrase that also was found by Fox-IT in a message left on DigiNotar's servers -- cited anti-Western political motivations for both hacks.
Donner said that in the wake of the incident the Dutch government is considering legislation that would make it mandatory for companies to disclose computer hacks and data leaks.