RSA Admits That SecureID Tokens Were Compromised

Melanie Gross
Jun 7, 2011
Updated • Dec 15, 2014

RSA has finally opened up and started talking about the March breach into its systems. Admitting that SecurID tokens were compromised, the company has promised to replace all 40 million tokens, for any client that feels it’s necessary. Chairman Art Coviello also stated that for financial institutions, they are also offering to provide transactions monitoring.

The admission is a big deal considering the recent cyber-attacks on the networks of the three US Military contractors: L-3 Communications, Northrop Grumman and Lockheed Martin. While the company only outright confirmed one breach, the others were hinted at by internal warnings and suspicious looking domain name and password reset processes.

RSA SecurID is a two factor authentication system intended to provide security for users when accessing sensitive data. Tokens are issued that are designed to interact with either hardware or software. The tokens generate authentication codes at fixed intervals (usually 30-60 seconds) using a built in clock and the cards factory-encoded random key (called a “seed). If all 40 million tokens in circulation are compromised, the only choice RSA has is to replace them. Doing so is surely going to cost them a huge chunk of money and the admission cannot be making companies using the “broken” SecurID tokens for the past several months happy.
What’s concerning is that there are no official details coming forth about what, exactly, was stolen that allowed hackers to misuse the tokens. Because of the way they work, it seems likely that the seeds that link every token to a specific account and the algorithm that calculates the numeric sequence generated by the tokens must’ve been compromised as well.

Experts in the security industry, as well as knowledgeable consumers, are unhappy with RSA’s failure to disclose the exact nature of the stolen data. Many people feel that the non-disclosure actually allowed the subsequent breaches while keeping consumers in the dark about the reality of the danger to their sensitive data. Chairman Coviello defended the company’s actions on that count by explaining that they didn’t want to reveal to hackers how to mount further attacks.

Despite the breach, Lockheed Martin assured the public that their systems remained secure and that no customer, program or employee personal data was compromised. In light of this new information, though, one has to question the likelihood that true security was maintained.

Recent cyber-attacks on major businesses and government organizations make it clear that it is paramount that security protocols be taken up a notch. Consumers need to feel safe in the knowledge that their personal information is secure and it is the responsibility of the businesses in question to make that happen. The Department of Homeland Security has offered to help determine the scope of the attacks. Hopefully these serious breaches in security will inspire contractors and businesses alike to take extra measures to secure information in the future.

Do you think that the government should get involved? Or is this just another way for the government to go snooping around our personal and private lives?


Previous Post: «
Next Post: «


  1. Crodol said on June 7, 2011 at 8:52 pm

    How do the RSA tokesn look? I have two of those random number generators but I am not sure if they might be affected?

  2. Radrick said on June 7, 2011 at 8:32 pm

    Is there an alternative to RSA? Should companies be looking for an alternative, or does this mean that all sites using secure logins like banks are potentially compromised?

  3. bastik said on June 7, 2011 at 8:05 pm

    “has promised to replace all 40 million tokens, for any client that feels it’s necessary”

    I hope all of them will feel that way.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.