THIS STORY HAS BEEN FORMATTED FOR EASY PRINTING

Company feels strain after data breach

Rivals aim to reap gains from theft at EMC unit

By Hiawatha Bray
Globe Staff / June 7, 2011

E-mail this article

Invalid E-mail address
Invalid E-mail address

Sending your article

Your article has been sent.

Text size +

A hacker attack on computers at the RSA Security division of Hopkinton’s EMC Corp. — and the use of the stolen information to break into computers at one of the nation’s biggest defense contractors — has blossomed into a crisis for the company.

Rival security companies are already moving to capitalize on the breach by offering alternatives to RSA’s security products. But RSA may be able to limit the damage if it moves quickly, analysts said.

RSA has sold 40 million of its SecurID devices, small plastic devices, called tokens, that generate numeric computer passwords. Customers hand out the tokens to employees and others who need access to their computer networks.

Mark Diodati, an analyst at the research firm Gartner Inc., said RSA has suffered a severe blow to its reputation. “It’s going to be permanent,’’ he said. But while the attack may have compromised millions of SecurID devices, he added, RSA’s underlying technology probably remains secure.

About 30,000 banks, corporations, and government agencies worldwide use the SecurID system to prevent unauthorized access to their data networks.

SecurID requires a user to enter two passwords to gain access to a network. The first password is memorized by the user. The second is a set of random numbers that appear on either a SecurID token or on a piece of software running on that user’s computer or smartphone.

The number displayed on the token, which changes every minute, is based on a unique digital “seed’’ assigned to each token.

RSA won’t say what information was stolen by hackers; but if they stole seed numbers for individual devices, they could calculate the displayed numbers and use them to break into customer networks.

A successful seed theft may have compromised vast numbers of SecurID tokens worldwide. RSA says that beyond the 40 million token devices, another 250 million people use the software-only version.

RSA executive chairman Art Coviello revealed the original breach in March, saying that it could help criminals attack networks that use SecurID.

Coviello said the company would work with its customers to shore up their defenses against such attacks.

Coviello last night issued an open letter to customers, saying that the attack appeared to be part of an aggressive campaign to steal military secrets. “The perpetrator’s most likely motive was to obtain an element of security information that could be used to target defense secrets,’’ Coviello said.

Defense contractor Lockheed Martin Corp. reported on Friday that its computer networks had come under assault in April by criminals using stolen SecurID data. The defense contractor said it fended off the attack and no sensitive data were lost. RSA officials confirmed that data stolen from its network were used in the attack. Another defense contractor, L3 Communications Corp., has sent an e-mail message to employees warning of similar attacks based on stolen SecurID files.

RSA customers contacted by the Globe were reluctant to describe what security changes they have made, if any, in response to the data breach.

“We became aware of the RSA incident in March and took immediate action,’’ said Holly Sheffer, spokeswoman for insurance company MetLife Inc. in New York. Sheffer declined to provide further details.

A spokeswoman for Wells Fargo and Co. said that customers have been notified.

Yesterday, Coviello said RSA would replace SecurID tokens for customers who believe the breach may have threatened their network security.

It is unclear whether EMC could be legally liable for damage caused by the breach. But the spate of bad publicity could undermine RSA’s reputation and erode its sales. Still, a downturn at RSA probably would not have a major financial impact on the parent company. EMC generated $17 billion in 2010 revenues. Of that, RSA contributed $729 million, or just over 4 percent.

Bill Kreher, senior technology analyst at Edward Jones & Co. in St. Louis, predicted that the RSA breach would do little harm, unless it leads to security breaches at many more companies.

“If it were to turn into a chain of customers having issues,’’ said Kreher, “certainly any prospective customers would think twice about using such a service.’’

RSA’s rivals have seized the opportunity to profit from the company’s woes.

In March, not long after the original breach, CA Technologies Inc. of Islandia, N.Y., launched a trade-in program aimed at getting SecurID customers to switch to CA’s rival security product.

Another rival, the British firm SecurEnvoy Ltd., said there has been a significant increase in queries from businesses that now use SecurID.

“Our resellers are telling us that there are customers all over the place talking to them about switching over from RSA,’’ said Andrew Kemshall, a SecurEnvoy cofounder and a former executive at RSA Europe. “We don’t need to go after them . . . they are very nervous.’’

Hiawatha Bray can be reached at bray@globe.com.

Related

Notable data breaches

Notable data breaches

Recent instances of stolen or mishandled customer data.