The 2006 hack that got a group called the Lords of Dharmaraja the source code of its corporate products was at an Indian company that may have been sharing the code with the Indian government – a major security risk.
Later, of course, Symantec admitted its servers were the ones that got pwned, and by a good old-fashioned American enemy – Anonymous – not some far-off group of foreign hackers with a strange name who probably had magical powers, anyway.
In fact, the Lords of Dhamaraja are pretty well known in India, have worked with Anonymous in the past, and are just as willing and able to scam Symantec with fake stories about corruption in the Indian military as Anonymous was to claim it was replacing its Low Orbit Ion Cannon DDOS-attack-automation software with something more effective.
(The "something more effective" wasn't a hacking tool, btw. It was the Occupy movement.)
Symantec: False reassurances on second major breach
Symantec gets credit for continuing to issue updates, even when the updates made it look worse than it did at first.
That minor credit pales in comparison to the demerit it gets for not realizing its own servers had been hacked five years before and the source code of its key products stolen.
It should also stand and explain why it followed the same pattern of response following the pcAnywhere hack that it did last fall, when SSL certificates from its VeriSign subsidiary were stolen and eventually used in attacks on a range of U.S.-based companies.
Together with certificates stolen from RSA and eventually used in attacks on Lockheed Martin and other defense contractors, the two certificate thefts seriously undermined the security of nearly every high-security facility, nearly all of which use public keys and SSL certificates as a primary way to authenticate users securely.