March 18, 2011, 12:10 AM — It's never a good sign when a network security company prominently features on its website home page an "urgent message" to customers "regarding their product security."
But on Thursday that's what greeted visitors to the Internet home of EMC subsidiary RSA Security, which posted an open letter from company Chairman Arthur Coviello Jr.
In his message, Coviello tells customers, "Like any large company, EMC experiences and successfully repels multiple cyber attacks on its IT infrastructure every day. Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA."
How unfortunate for RSA, but why is he telling us about it? Oh, maybe this is why:
"Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations."
Ruh-roh. If there's one thing security customers hate to hear, it's that a security incident targeting their security software vendor may make their enterprise security less secure. This tends to make customers insecure.
And RSA has plenty of SecurID customers -- more than 40 million as of 2009. Further, SecurID tracks the identities of more than 250 million people, according to the New York Times.
Among RSA's customers are HDFC Bank, Boeing Employee Credit Union, Lockheed Martin, Canon U.S.A. and federal, state and local government agencies.
Coviello tries to combine his dire warning with reassurances:
"We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident."
"We have no evidence"..."We are also confident"..."we do not believe"... there's not much definitive here. And while RSA absolutely did the right thing by being up-front about the breach (assuming it was up-front), if I were a customer, I'd be understandably concerned.
And if I worked in marketing for RSA, I'd be hating my job right about now.
Chris Nerney writes about the business side of technology market strategies and trends, legal issues, leadership changes, mergers, venture capital, IPOs and technology stocks. Follow him on Twitter @ChrisNerney.