Hackers have targeted a security company that makes identification tokens which help millions of people around the world provide authentication for online bank accounts and company IT networks.
RSA, a unit of US data storage company EMC, said hackers had launched an “extremely sophisticated” cyber attack on its SecurID two-factor authentication system. The system uses small devices to generate a unique number, which is then used in conjunction with another password to verify the identity of the person logging in remotely to a corporate IT network or accessing an online bank account.
RSA said in an online post to customers that the stolen information would not facilitate a direct attack on its ID devices. But it said that an investigation revealed the attack had resulted in certain pieces of information being extracted from its systems.
As well as being highly embarrassing for RSA, which hosts one of the industry’s main security conferences every year, the attack highlights the growing risk companies and governments face from cyber crime.
In an open online letter to customers, Art Coviello, executive chairman, said RSA had taken a variety of “aggressive measures against the threat” and was “working closely with the appropriate authorities”.
He said there was no evidence that customer security related to other RSA or EMC products has been affected. And he offered full support to customers.
Andy Kemshall, co-founder of SecurEnvoy, a UK rival to RSA, said that customers he had spoken to were keen to know whether hackers had stolen the “seed” records, which are the basis for the one-time passwords and could allow them to generate their own authenticated numbers.
RSA gave only generic advice to customers, such as warning them to keep a watch for user accounts that escalate their permitted level of access to company resources.
It was unclear whether the motive for the attack was strictly financial or if it was part of a broader strike.
Malcolm Marshall, head of information security at KPMG, said such attacks could have “multiple motivations, ranging from corporate espionage to ideological demonstration” but he said that in this case hackers may have been looking to steal intellectual property or gain design information.
Countries are concerned by the growing number of attacks on IT systems as hackers look to steal data, intellectual property, money and even sensitive government information.
Last month Lady Neville-Jones, the UK’s security minister, warned that cyber attacks on government, businesses and individuals could be costing the UK economy at least £27bn a year.
RSA did not respond to requests for comment.