The Washington Post

SecurID tokens compromised, company admits

RSA Security has offered to replace up to 40 million SecurID tokens — devices used to securely log in to a computer — after hackers stole information that compromised them, the company’s chairman said Monday.

The unprecedented offer to more than 30,000 companies and government agencies worldwide follows the company’s disclosure in March of “an extremely sophisticated” cyber attack on its systems. The attack resulted in the theft of valuable data related to SecurID, which could be used to launch a broader attack against a corporation using the tokens.

“Certain characteristics of the attack on RSA indicated that the perpetrator’s most likely motive was to obtain an element of security information that could be used to target defense secrets” and related intellectual property, rather than financial gain or users’ personal information, RSA Chairman Art Coviello said in an open letter to SecurID customers.

Last week, Bethesda-based Lockheed Martin, a major defense contractor, became the first corporation to acknowledge that its systems were breached, in part because of the compromised tokens. It has stated that its systems are “secure.”

The tokens are in wide use among defense contractors. Lockheed has begun to replace all its 45,000 SecurID devices, but that step may not be enough for companies, some security experts and industry officials fear, since the attacker who stole the RSA data may have already penetrated some networks.

What has stunned industry and some government officials alike is that SecurID was considered the gold standard in security. The device features “two-factor” authentication, requiring a user to enter both his password and a random six-digit number, generated every 60 seconds by the token, to log into a network.

“What RSA was really selling was confidence,” said one U.S. official, who was not authorized to speak for the record. “Their message was, ‘Use SecurID — it’s the standard in the industry,’ and at the same time, RSA’s back door was unlatched.”

The bottom line, the official said, is “we could have had significant losses and just don’t know it.”

Deputy Defense Secretary William J. Lynn has said that the threat to intellectual property may be the “most significant cyber threat” facing the United States over the long term. It is estimated that $1 trillion worth of intellectual property is stolen annually through computer network breaches.

The Pentagon “does not rely heavily” on RSA’s SecurID tokens, and the impact on the department “has been minimal,” spokeswoman Lt. Col. April Cunningham said.

Some firms are weighing whether to switch security vendors, said one industry official, who was not authorized to speak for the record.

RSA, which is a division of EMC, also has offered to provide extra anti-fraud detection technology to customers, typically those that focus on Web-based financial transactions.

The past several weeks have seen a number of high-profile attacks on major firms such as Sony, Google, and e-mail marketer Epsilon. These incidents “point to a changing threat landscape and have heightened public awareness and customer concern,” Coviello said.

Show Comments
Washington Post Subscriptions

Get 2 months of digital access to The Washington Post for just 99¢.

A limited time offer for Apple Pay users.

Buy with
Cancel anytime

$9.99/month after the two month trial period. Sales tax may apply.
By subscribing you agree to our Terms of Service, Digital Products Terms of Sale & Privacy Policy.

Get 2 months of digital access to The Washington Post for just 99¢.

Sign up for email updates from the "Confronting the Caliphate" series.

You have signed up for the "Confronting the Caliphate" series.

Thank you for signing up
You'll receive e-mail when new stories are published in this series.
Most Read


Success! Check your inbox for details.

See all newsletters

Close video player
Now Playing
Read content from allstate
Content from Allstate This content is paid for by an advertiser and published by WP BrandStudio. The Washington Post newsroom was not involved in the creation of this content. Learn more about WP BrandStudio.
We went to the source. Here’s what matters to millennials.
A state-by-state look at where Generation Y stands on the big issues.