Cyber Incident Victim: HP Inc.

In October 2014, Hewlett-Packard (HP) announced it would revoke a digital certificate after discovering it had been used to inadvertently sign malware. The incident occurred when a Windows Trojan infected the computer of an HP developer. Symantec alerted HP to the presence of malware bearing the company’s valid digital signature. HP Global Chief Information Security Officer Brett Wahlin confirmed the malware—a four-year-old Trojan—was accidentally signed during the packaging of unrelated legitimate software on the compromised developer’s machine. The signed malware then transmitted itself externally, though Wahlin emphasized no HP software distributed to customers contained the malicious code. HP maintained its certificate authority infrastructure remained uncompromised, with no breach of its code-signing systems. The accidental signing stemmed solely from the malware’s presence on the developer’s workstation during routine software packaging operations.

HP initiated revocation procedures for the affected certificate through Verisign, scheduled for October 21, 2014. This action necessitated reissuing numerous software packages—including hardware drivers critical for older HP systems—with new digital signatures. While existing installations remained functional, users reinstalling software from original media would encounter certificate validation errors post-revocation. Wahlin acknowledged the operational burden of re-signing and redistributing affected software but underscored the absence of broader infrastructure compromise. The full scope of impacted systems and software dependencies remained uncertain pending the certificate’s formal revocation. HP directly notified customers requiring updates but did not disclose specific quantities of affected products or detailed remediation timelines beyond the revocation date.