Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

RSA SecurID Breach Cost $66 Million

EMC details second quarter 2011 cost to replace tokens, monitor customers, and handle fallout from RSA's SecurID breach.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Between April and June 2011, EMC spent $66 million dealing with the fallout from a March cyber attack against its systems, which resulted in the compromise of information relating to the SecurID two-factor authentication sold by EMC's security division, RSA.

That clean-up figure was disclosed last week during an EMC earnings call, by David Goulden, the company's chief financial officer. It doesn't include post-breach expenses from the first quarter, when EMC began investigating the attack, hardening its systems, and working with customers to prevent their being exploited as a result of the attacks.

In spite of the breach, EMC reported strong second-quarter financial results, earning consolidated revenue of $4.85 billion, which is an increase of 20% compared with the same period one year ago. Meanwhile, second-quarter GAAP net income increased by 28% from the same period last year, to reach $546 million. The company saw large growth in its information infrastructure and virtual infrastructure products and services, including quarterly revenue increases of 19% for its information storage group.

Those results led executives to increase their financial outlook for 2011 and predict consolidated revenue in excess of $19.8 billion, which would be a 16% increase from EMC's 2010 revenues of $17 billion.

Growth was slower for RSA, however, which saw year-on-year revenue growth increase slightly, from 8% to 13%, fueled by the company's identity management, protection, and security management compliance businesses. "It is likely that RSA growth will remain a bit slower as remediation efforts continue," said Goulden. But he said that "overall customer feedback is positive and increasingly, customers are showing confidence."

As that suggests, RSA faced criticism after the breach for failing to disclose details of what had been stolen, or how it might be used against its customers. RSA's approach changed somewhat, however, after attackers used stolen SecurID information to launch attacks against numerous defense contractors, including Lockheed Martin.

Facing increasing criticism from customers and commentators after those attacks, RSA chairman Art Coviello in early June issued an open letter providing additional details about the breach and RSA's approach to handling it. He also announced that RSA would offer replacement tokens to more customers. But despite the additional details, Coviello stopped short of explaining exactly what attackers had stolen and how that might effect customers.

According to Goulden, RSA ultimately offered replacement tokens to the one-third of its customers who use SecurID to protect intellectual property and corporate networks. For the other two-thirds of customers, who largely use the tokens to protect "Web-based consumer financial transactions," the company offered additional security monitoring. That strategy was decided by EMC after determining that attackers didn't appear to be seeking consumers' financial details. Rather, he said, "our analysis of the attack led us to believe that likely targets were the defense sector and related government agencies."

On the earnings call, Goulden also defended RSA's post-breach approach, saying the shift in strategy hadn't been related to a change in the actual risk facing customers. "What did change was our customer's sensitivity to risk. This was caused by the same news flow around cyber attacks as in addition to press coverage of the attack on Lockheed Martin, there was broad media coverage of attacks on organizations including Google, Sony, Epsilon, the Australian government and PBS," he said. "While these attacks were entirely unrelated to RSA, the publicity resulted in many customers risk tolerance going down while the level of awareness and concern went up."

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13757
PUBLISHED: 2020-06-01
Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing exces...
CVE-2020-13758
PUBLISHED: 2020-06-01
modules/security/classes/general.post_filter.php/post_filter.php in the Web Application Firewall in Bitrix24 through 20.0.950 allows XSS by placing %00 before the payload.
CVE-2020-9291
PUBLISHED: 2020-06-01
An Insecure Temporary File vulnerability in FortiClient for Windows 6.2.1 and below may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined with a symbolic link attack.
CVE-2019-15709
PUBLISHED: 2020-06-01
An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below, FortiAP-U 6.0.1 and below CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.
CVE-2020-13695
PUBLISHED: 2020-06-01
In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/*.db or /etc/shadow file.