RSA has admitted that its systems have been breached, with information on its SecurID two-factor authentication tokens stolen.
In an open letter on the RSA website, executive chairman Art Coviello said that its ‘security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA' and investigations led it to believe that it was an advanced persistent threat (APT).
He said: “We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure. We also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.
“Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products.
“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”
He went on to say that there is no evidence to suggest that customer security related to other RSA products has been similarly impacted and it was confident that no other EMC products were impacted by this attack.
Coviello said: “It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident. Our first priority is to ensure the security of our customers and their trust. We are committed to applying all necessary resources to give our SecurID customers the tools, processes and support they require to strengthen the security of their IT systems in the face of this incident.”
He concluded by saying that RSA regrets any inconvenience or concern that this attack may cause for customers.
“APT threats are becoming a significant challenge for all large corporations. As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organisations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat,” he said.
Andy Kemshall, technical director of SecureEnvoy who previously worked for RSA, said that RSA's announcement and acknowledgement of this attack was good, but he was seeing a high level of customer concern about the security of their data.
He said: “They are going to resellers and saying ‘we are nervous, what can be done if our tokens are breached?' If the attackers got hold of the seed record then the same set of one-time passwords can be created. This leads to uncertainty and if they have been compromised then the only thing protecting them is the first factor of a four-digit password.”
Kemshall went on to claim that he knew of a flaw in the technology from the start, as RSA retained customer data on a database. “They need to deal with it quickly and they are in a tricky place,” he said.