Is it time for RSA to open up about SecurID hack?

11.06.2011
For any company that makes its living selling security, it's a nightmare come true. This week, RSA Security admitted that three months ago had stolen information about its SecurID tokens and then used that information to attack a customer, Lockheed Martin.

RSA seems to think the vast majority of its customers aren't directly threatened by the hacking incident, but the company's reputation has taken a hit. And users and pundits alike have blasted RSA for not being clear about exactly what was taken, and how it could affect them.

Calls for more disclosure about the March hacking incident only got louder this week, after Lockheed Martin confirmed that it was reissuing RSA tokens company-wide in response to the attack, and after

By not disclosing what happened, RSA is making it hard for customers to understand the risks they face and make informed decisions, said Thierry Zoller, practice lead for Verizon Business Luxembourg. "It's time for them to come clean," he said. "By not coming clean they are creating more fear, uncertainty and doubt than necessary."

RSA has said the hackers were sophisticated, but it has been vague about what exactly they managed to steal. The best the company could do this week was to confirm that "the attack resulted in certain information being extracted from RSA’s systems that is related to RSA SecurID multi-factor authentication products."

Even without a clear answer from RSA, some security experts took the Lockheed Martin incident as proof that the hackers who broke into RSA's systems are now able to clone SecurID tokens and use them to break into networks.