RSA security breach leaves data for 40M employees vulnerable

The servers of RSA, the security division of information storage giant EMC, have been breached and sensitive information from more than 40 million employees may have been compromised.

The information at risk is the two-factor authentication tokens used by employees to access corporate and government networks.

The RSA authentication security system uses these tokens to create a time sensitive number for an employee to enter along with his or her password.

This additional security measure is important because it prevents attempts from hackers who may have uncovered an employee’s password. If the hackers were able to access information from a particular company, they might be able to generate the password for one of its tokens.

Says RSA Executive Chairman Art Coviello, “While at this time we are confident that the information extracted does not enable a successful direct attack on any of our  RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

RSA’s system is currently used by approximately 25,000 organizations, including banks and the US military.

RSA contacted customers asking them to follow a number of cautionary practices. The company says it is examining the breach and is working with the authorities; there is no doubt more information will be announced shortly.

Trackbacks

  1. [...] RSA SecurID scandal of earlier this year, in which a who’s-who of large firms are believed to have been [...]

  2. [...] tokens are also dependent on the security of the issuer or manufacturer. Case in point is the March 2011 breach of RSA SecurID tokens. Companies that issued RSA’s two-factor dongles were simultaneously relying on RSA’s [...]

  3. [...] tokens are also dependent on the security of the issuer or manufacturer. Case in point is the March 2011 breach of RSA SecurID tokens. Companies that issued RSA’s two-factor dongles were simultaneously relying on RSA’s internal [...]

  4. […] needed for two-step logins like this. Think of Authenticator as a digital version of those little RSA SecureID tokens that display a different code every minute or two. Google created Authenticator for its own login […]