Apparently even the security experts can’t stay secure
It is always embarrassing when a security firm gets hacked. But it’s extraordinary and perhaps unprecedented when a senior firm behind one of the industry’s top security standards gets hacked.
That’s precisely what happened with RSA Security who self-reported [press release] an intrusion and possible lost of data this week.
RSA Security was founded in 1982 by Ron Rivest, Adi Shamir, and Leonard Adleman, three top cryptographers that developed a new public-key cryptography algorithm. The algorithm, RSA, was named in honor of their last initials, and the company took on that name as well.
It operated independently supporting the standard and providing security services up until 2006. Along the way it acquired several smaller security startups. Then in 2006 it was acquired by the EMC Corporation in a deal worth $2.1B USD.
Apparently having three top industry pioneers isn’t an invulnerability charm, though. RSA Security writes:
Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure. We also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.
Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.
Despite the fact that it believes information was stolen RSA assures its customers that their personal info and the security of the company’s software products was not comprised. Yet, they go on to advise clients to follow online advice to safeguard themselves against possible fallout from the data loss.
The company says it will assist its customers if they experience financial ramifications from the breach. It also promises to “strengthen” it and its clients’ security in the wake of the incident.