U.S. agencies respond to cyberattack on information security firm
By Ellen Nakashima,
Federal agencies are confronting possible repercussions from a cyberattack disclosed last week on one of the nation’s largest information security companies.
RSA Security, a division of EMC, has contracts throughout the federal government for its SecurID system, which uses a device, or token, to generate a random six-digit number every 60 seconds. That number, when used with a user’s password, provides access to unclassified systems throughout government agencies.
In a filing Thursday to the Securities and Exchange Commission, EMC reported “an extremely sophisticated” cyberattack that targeted its RSA business unit and resulted in “certain information” about its products “being extracted.” Although there were no reports of lost customer data as a result of the breach, the risk is that the stolen information could enable a successful attack later, company officials said.
“We do not believe that either customer or employee personally identifiable information was compromised as a result of this incident,” RSA Executive Chairman Art Coviello said in a letter to customers accompanying the filing.
Amy Kudwa, a spokeswoman for the Department of Homeland Security, said the federal government was working with RSA to secure networks that are accessible via SecurID. The tokens would generally be used when a government employee is trying to gain access to a computer system while on a personal computer or laptop.
“It’s not classified data but more proprietary and personal data that’s at issue,” said one defense industry official familiar with the breach, which occurred this month. “It will be a fairly significant event before this is all said and done.”
RSA has tens of millions of dollars worth of contracts across the federal government. Agencies with large contracts include the Social Security Administration and the Defense Department and its service branches.
A senior security director for a Fortune 500 company that processes payroll transactions worldwide and uses SecurID said his firm had experienced no adverse effects. He said that within minutes of detecting the breach, RSA gave his company details on how it occurred so that it could defend against a possible attack.
Forty million SecurID tokens are in use in more than 30,000 companies and government agencies worldwide. The tokens range from a two-inch key fob that fits on a key chain to software versions used on iPhones and BlackBerrys.
Security experts said the breach shows another evolution in cyberattackers’ tactics. Instead of targeting banks or government agencies, they are targeting firms that provide security to those entities.
“It indicates some serious planning,” said James A. Lewis, director of the technology and public policy program at the Center for Strategic and International Studies.
RSA issued an online bulletin this week with steps to help companies and agencies using SecurID protect their data. They include reviewing recent authentication manager logs for unusually high rates of failed authentications and educating users on recognizing efforts by outsiders to trick them into giving up passwords.
Staff researcher Julie Tate contributed to this report.