Zero damage from last year's RSA breach

Ain't hindsight a wonderful thing!

Even though the security breach of RSA last year resulted in the potential compromise of the company's SecurID login tokens -- 50 million of which are currently in use -- no real harm was done, says the company.

"There hasn't been a single breach that resulted in a loss, not a single one," RSA executive chairman Art Covellio told journalists in Sydney this week.

"There was only one publicly-disclosed breach [where] it was even suggested that information stolen from us was used, and that attack was defeated," he said, referring to the attack on US defence contractor Lockheed Martin.

There were no breaches that weren't publicly disclosed either, said Coviello, because RSA stays very close to law enforcement and "other agencies" who, he said, would tell them about any breaches and work with them to ensure the replacement of tokens "if necessary".

When the Lockheed story broke, RSA told customers that if they thought they were at risk then their SecurID tokens would be replaced. In the case of banks, RSA would provide transaction monitoring.

"Over and above that, there were belts and suspenders in a lot of the Australian banks because they had our transaction monitoring capability which gave them, believe it or not, four factors -- the password, the PIN, the passcode, and transaction monitoring -- and that story, try as we might, never really got out in the Australian press," Coviello said.

"So there was very, very, very, very, very little risk in those particular instances," he said. "I don't think we ever hyped the threat."

Whether that really was four factors of authentication is a moot point. Personally I'd count that as only two because a password, PIN and passcode are all "something you know".

Nevertheless RSA did the right thing by providing real information to its customers early on. They had to, of course, because their customers needed to understand the potential risks.

In the end, the number of SecurID tokens that were replaced wasn't the tens of millions in circulation but, as Coviello put it, "a fraction, fraction, fraction of that" -- although he refused to give an actual number.

"What won't come out if I give you that data is the fact that no-one really needed to replace a token," he said.

Contact Stilgherrian at or follow him on Twitter at @stilgherrian

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Show Comments