Tuesday, April 5, 2011

The Epsilon Security Breach: Millions Affected: The List Is Growing!





The Epsilon Security Breach: Millions Affected: The List Is Growing!


THE CURRENT MALWARE ATTACKS SECURITY BREACHES MUST BE TAKEN SERIOUSLY AS SOME ARE ONLY STEP ONE IN DATA HARVESTING AND PERSONAL JEOPARDY!


Online marketing company Epsilon - used by many retailers, banks, and online services  suffered a major security breach over the weekend, potentially exposing the names and email addresses of millions of customers.

If you are a customer of one of Epsilon's corporate clients your information may be at risk. A partial list of businesses affected by the breach includes:

Wal-Mart, Best Buy, US Bank, Citigroup, J.P. Morgan Chase and Walgreens.

We recommend you pay close attention to your email inbox, as you may experience an increase in spam email and phishing attacks (which may appear to come from some of the companies who have been affected, such as Wal-Mart or Walgreens).

For more coverage check out ABC News and The Guardian.

I Keep a Best Buy Account as a matter of keeping this beast of a machine up and running. I received this massage yesterday and today I have had nine ((9) Phishing Expeditions in my Emails.  In addition to this problem the recurrent: “You have a problem, LET US SCAN . scam/infector is virulent in graphic graphics files.” Should you see this message, and even if the scan begins, just keep backing out. You're safe until it completes its dirty work. 

Dear Valued Best Buy Customer, 

On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization. 

We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this. 

For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails. As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders. 

In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.bestbuy.com. If you receive an email asking for personal information, delete it. It did not come from Best Buy. 

Our service provider has reported this incident to the appropriate authorities. 

We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. For more information on keeping your data safe, please visit:
http://www.geeksquad.com/do-it-yourself/tech-tip/six-steps-to-keeping-your-data-safe.aspx. 

Sincerely, 

Barry Judge 
Executive Vice President & Chief Marketing Officer 
Best Buy


Epsilon Email Breach: What You Should Know


Hackers Expose Millions of Email Addresses, Names. Watch For Spam


If you're a customer of Walgreens, Best Buy, Citigroup or one of several other major U.S. companies, you might want to put your email inbox on high alert.

Over the weekend, those retailers were the latest on a growing list of big-name businesses to warn customers that computer hackers may have accessed their email addresses and names. All of the companies work with the Dallas-based online marketing firm Epsilon, which said Friday that its system had been breached, potentially exposing it's corporate clients' customer information.

When reached by ABCNews.com, a spokeswoman said she was unable to comment as the company conducts an investigation and cooperates with authorities. But in its statement, Epsilon, which sends 40 billion emails annually on behalf of more than 2,500 clients, said a subset of its' clients customer information was compromised in the data breach.
"The information that was obtained was limited to email addresses and/or customer names only," the company said. "A rigorous assessment determined that no other personal identifiable information associated with those names was at risk."

Affected Customers Could See More Spam, Phishing Attacks, Experts Say


J.P. Morgan, Kroger's, Capital One Financial, Barclay's Bank, The College Board and TiVo are among the companies to acknowledge that their customers' data may have been accessed by hackers.(For an up-to-date list of confirmed companies affected by the attack, check out SecurityWeek's list here.)
While security experts say hackers are usually interested in more sensitive data than people's names and email addresses, they still warn that affected customers should be extra careful with their email.
Graham Cluley, a senior technology consultant with the security firm Sophos, said that although the Epsilon breach appears to have hit many well-known companies -- and their millions of customers -- at least the hackers didn't run away with credit card information or home addresses, which could be used to commit identity theft or make unauthorized purchases.
Customers with compromised email accounts could expect a surge in annoying spam to their inbox, he said, but the hack could have more insidious effects, too.
"The biggest danger here really is that spammers could then target you with email pretending to come from these organizations," Cluley said. "You might get fooled into being phished for your log-in information or being sent malware or a dangerous Web link."

Hackers Could Use Stolen Email Addresses Months Down the Road


Now that the hackers have a treasure trove of verified email addresses, they could use them themselves or sell them on the black market, he said.

Even months down the road, customers could get an email masquerading as a message from their bank or credit-card issuer containing poisonous Web links. Once clicked, those links could install malicious code on their computers or try to trick them into giving up valuable information, such as credit card information or log-in data to their banks or social media accounts.
To keep your personal information protected, experts say you should be wary of unsolicited messages, especially those with attachments and that ask you for information. Cluley said it's important that if you receive an email from a company (even one that you do business with) that contains a Web link, don't click on it. Instead, go to the website directly and log in from there.
"It's a pretty ugly situation from that point of view," he said. "But, at the same time, thank goodness this isn't credit card information."
The Associated Press contributed to this report.  

Epsilon Email Hack: Millions Of Customers' Details Stolen


Customers of Barclaycard US, Capital One and other companies warned after attack on marketing email provider Epsilon

Computer hackers have stolen the names and email addresses of millions of people in one of the largest internet security breaches in US history.

The names and email addresses of customers of Barclaycard US, Capital One and other large firms were taken in an attack on the marketing email provider Epsilon last week. British customers of Barclays Bank, which owns Barclaycard US, were not affected. A spokesman for Barclaycard US confirmed to the Guardian that it would continue to work with Epsilon despite the breach.

Other information, such as passwords or credit card details, are not thought to have been exposed. However, some banks have warned customers to expect fraudulent emails attempting to solicit further login details.

The UK Information Commissioner's Office (ICO), which investigates data breaches of this kind, said it was making inquiries into whether any Britons were among those affected.

Epsilon, which provides marketing services via email to about 2,500 companies, put a warning on its website on Friday stating that its systems had been "exposed by an unauthorized entry" into its email system. Epsilon said it would not be comment further on the breach when contacted by the Guardian. It is not yet known who perpetrated the attack, which US law enforcement agencies have begun investigating.


"The information that was obtained was limited to email addresses and/or customer names only," Epsilon said in its statement. "A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway."

Over the weekend, dozens of Epsilon clients began to warn customers that their email addresses may have been stolen. Some of the largest financial institutions in the US, such as JPMorgan and Citigroup, are among the companies affected. Best Buy and Walt Disney subsidiary Disney Destinations also began warning its customers about the security breach. The list of companies affected is expected to continue to grow.

TiVo, the US video-on-demand company, wrote to its customers on Sunday morning: "Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties."

A list of millions of email addresses with their source is likely to be incredibly lucrative for so-called "phishing" scams, where credible-looking emails are sent to people soliciting other sensitive information, such as bank account details.

"Losing your email address via a service to which you already belong makes it much easier for scammers to hit you with emails which match your existing interests, at least loosely," said Paul Ducklin of internet security firm Sophos. "That, in turn, can make their fraudulent correspondence seem more believable."


The attack has drawn parallels with other large-scale computer infiltrations, most notably the Heartland Payment Systems breach of 2008. More than 40m bank account details were stolen in that attack, conducted by a criminal gang led by notorious hacker Albert Gonzalez. Gonzalez was later sentenced to 20 years in prison.


Last month an Iranian hacker claimed he stole digital security certificates used for online transactions by some of the web's largest sites, including Google, Yahoo, Microsoft and Skype.


IRVING, TEXAS – April 1, 2011 - On March 30th, an incident was detected where a subset* of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.

For Media Inquiries please contact Jessica Simon (212-457-7135, jsimon@epsilon.com)
For Consumer Inquiries please contact Sarah Branam (303-410-5369,sbranam@epsilon.com)

* Updated April 4, 2011: The affected clients are approximately 2 percent of total clients and are a subset of clients for which Epsilon provides email services.

Epsilon Email Breach


Here are just some additional names that have now been confirmed are affected by this breach. (This is not a complete list, not all companies affected have become public). This list comes from NEOWIN.NET (LINK) 



·         Abe Books
·         American Express
·         Ameriprise Financial
·         Barclays Bank of Delaware
·         Best Buy
·         Borders
·         Brookstone
·         Capital One
·         Citibank
·         City Market
·         CollegeBoard
·         Dillons
·         Disney Vacations
·         Food 4 Less
·         Fred Meyer
·         Fry’s
·         Hilton Honors
·         Home Shopping Club (HSN)
·         The Home Shopping Network
·         Jay C
·         JP Morgan Chase
·         King Soopers
·         Kroger
·         LL Bean
·         Marriott Rewards
·         McKinsey Quarterly
·         New York & Co.
·         QFC
·         Ralphs
·         Ritz Carlton
·         Robert Half
·         Smith Brands
·         TiVo
·         US Bank
·         Verizon
·         Visa
·         Walgreens


PLEASE REMEMBER NO REPUTABLE COMPANY WILL EVER ASK YOU FOR PERSONAL, CREDIT CARD, or ACCOUNT INFORMATION, DO NOT RESPOND TO ANY EMAIL ASKING FOR THAT KIND OF INFORMATION or CLICK ON ANY LINK IN AN EMAIL THAT ASKS FOR YOU TO VISIT A WEBSITE TO ENTER THAT INFORMATION. IF IN DOUBT CALL THE COMPANY THAT THE EMAIL CLAIMS TO BE FROM DIRECTLY TO CONFIRM YOUR SITUATION.

Targeted Nature Of Email Breach Worries Experts

SAN FRANCISCO – Think twice next time you get an email from Chase or Citi asking you to log in to your credit card account. The bank may not have sent it.

A security breach that exposed the email addresses of potentially millions of customers of major U.S. banks, hotels and stores is more likely than traditional scams to ultimately trick people into revealing personal information.

Security experts said Monday they were alarmed that the breach involved targeted information — tying individuals to businesses they patronize — and could make customers more likely to reveal passwords, Social Security numbers and other sensitive data.

The company that was in charge of the email addresses, a Dallas marketing firm called Epsilon, handles online marketing for some of the biggest names in business. Those companies have flooded customers in recent days with warnings to be on guard.

Epsilon said that while hackers had stolen customer email addresses, a rigorous assessment determined that no other personal information was compromised. By itself, without passwords and other sensitive data, email addresses are of little use to criminals. But they can be used to craft dangerous online attacks.

Citi credit card customers, for example, are more likely to respond to an email claiming to be from Citigroup than from a random bank. The email might direct the customer to a site that looks like the bank's site, capture login information and use it to access the real account.

David Jevans, chairman and founder of the nonprofit Anti-Phishing Working Group, said criminals have been moving away from indiscriminate email scams, known as "phishing," toward more intelligent attacks known as "spear phishing," which rely on more intimate knowledge of victims.

"This data breach is going to facilitate that in a big way," said Jevans, also CEO of security company IronKey Inc. "Now they know which institution people bank with, they know their name and they have their email address."

The information could also help criminals send highly personalized emails to victims. Doing so makes the email more likely to get past a spam filter.

Epsilon, a unit of Alliance Data Systems Corp., sends more than 40 billion emails a year and has more than 2,500 business clients. Stock in the parent company fell $1.73, or 2 percent, to close Monday at $84.20.

Meanwhile, more than a dozen companies contacted customers to instruct them never to reveal personal information in response to an email.

Financial institutions affected include Barclays Bank, Capital One Financial Corp., Citigroup, JPMorgan Chase and U.S. Bancorp. The parent companies of Best Buy, Ethan Allen furniture stores, the Kroger grocery chain, the Home Shopping Network and Walgreens drugstores issued similar warnings, as did the Hilton and Marriott hotel chains. The College Board, the not-for-profit organization that runs the SATs, also warned that a hacker may have obtained student email addresses.

Many of the companies contacted by The Associated Press declined comment or referred reporters to statements acknowledging the breach. Epsilon also declined further comment. Some of the companies said Epsilon has referred the breach to unspecified authorities.

For victims of this type of security breach, there is little to do but be vigilant. Changing passwords doesn't help.

Jill Kocher of Crystal Lake, Ill., said she got at least five emailed warnings, including from U.S. Bank, Best Buy and clothier New York & Co. Because she works for Groupon, an Internet coupon company, she said she feels savvy enough to avoid any phishing come-ons. But she's concerned for those who aren't.

"U.S. Bank sends you an email and it looks legit and you cough up the information, and now you're in big trouble. It sure does sound like a big increase in fraud just waiting to happen," Kocher said.

The attack offers a window into a business that serves a vital role in the Internet age for companies looking for effective ways to find customers, sell to them, and figure out what they might want to buy in the future.

Epsilon is a big moneymaker for Alliance Data Systems. Epsilon turned $65 million in operating profit last year, and its $613 million in revenue was 22 percent of Alliance Data Systems' total.
Companies like Epsilon send emails to customers on behalf of companies, using vast stores of data and millions of addresses. Companies are eager to give up information about their customers — if the third parties such as Epsilon can do a better job at enticing them to spend.

So for example, an email that a retailer blasts to customers about an upcoming sale on big-screen TVs might not actually come from the company at all. A company such as Epsilon might be the one that analyzed the spending of that store's customers and decided which ones would be most likely to buy a big-screen TV.

Dave Frankland, an analyst with Forrester Research who studies Epsilon and other businesses that specialize in "customer intelligence," said large companies often outsource their email marketing to avoid being having their messages zapped by email service providers' spam filters. Companies such as Epsilon work with the email providers to ensure that their customers' messages aren't blocked as spam. He said that is a job that requires daily attention.

Frankland said the industry's reputation will take a hit because the breach exposed how much the relationships between companies such as Epsilon and their customers depend on trust.

"At first glance, I shrug my shoulders and go, `Oh my goodness — a spammer knows my name,'" he said. "I get enough spam; that isn't new. But the bigger concern is when someone gets an email from one of these blue chip companies and it looks genuine. That's when I get very concerned."

But he added: "The industry should be looking at this as a let-off. This could have been a heck of a lot worse. It's not just Epsilon — it's an industry issue, and this could have been any of them."

Breaches involving millions of customers have happened before. In one of the largest, more than 45 million credit and debit cards were exposed to possible fraud because of hackers broke into the computer system of TJX Cos., the parent company of retailers T.J. Maxx and Marshall's, starting in 2005.

And last month, RSA, the security division of data storage company EMC, acknowledged that its computer network was hacked. The implications are serious because RSA's technology underpins the security of some of the world's most closely guarded data. RSA makes small security devices that supply constantly changing numbers that are used as secondary passwords for accessing corporate networks and email.

If the attacker managed to steal the codes that determine which numbers appear on the tokens, that information could be used to perform mass infiltrations — if the attacker already has other information about the targets. That information can be gleaned from the type of "spear phishing," or targeted phishing, emails that the Epsilon breach can enable.

"I'm a little concerned that there's a big pattern going on here of very major breaches, where if you combine that information together, you could launch some pretty major attacks that would be very successful," Jevans said.

A huge Internet security breach that exposed countless names and email addresses also focused attention on an increasingly popular target for hackers: data firms that store customers' personal information for banks, retailers and other companies.
Customers of as many as 50 firms, including JPMorgan Chase & Co., Kroger Co., TiVo Inc., Best Buy Co., Walgreen Co. and Capital One Financial Corp., found out over the weekend that their email addresses were exposed to hackers who had broken into the system of Epsilon Data Management, a Dallas company that provides online mail services to 2,500 companies.
Notices from retailers and banks came as a surprise to many, including Chris Kubica of North Carolina, who received warning messages from Best Buy and TiVo.
"Wait, so I put my information into Best Buy, and it was stolen from some other place that I'd never heard of?" he said. "That's a little bit scary."
The attack on Epsilon is a type that has become increasingly attractive to hackers: They go after intermediaries or outsourcing companies like Epsilon.
Those data companies handle giant troves of sensitive personal information for many retailers, banks and other companies that deal directly with the public. And with customers sharing more data with those firms across many industries, the vulnerability of data storage companies has become a growing concern.
"These are examples of why those people who provide services to thousands of other companies have to be way more secure than the individual companies themselves," said John Pescatore, a security analyst at Gartner Inc.
The companies affected by the Epsilon hacker attack told their customers that they might see an increase in malicious email messages aimed at tricking them into handing over credit card data and other personal information.
In a ruse known as phishing, cyber-criminals try to bait consumers with emails that appear to be from legitimate companies and often ask for passwords, Social Security numbers and financial information.
Epsilon spokeswoman Jessica Simon declined to say how many users' names and email addresses had been exposed in the attack. But she noted that no additional personal information, such as Social Security numbers, had been exposed. The company said a full investigation was underway.
Though Epsilon may have been the source of the security breach, the companies that originally collected the information may ultimately be responsible if the lost data are used for purposes that harm consumers, including identity theft.
"The liability really rests with the company that directly interacts with consumers — regardless of what the fine print said," said Scott Brady, a managing director at Dewitt Stern, an insurance firm that works with clients in the entertainment and media industry.
In many cases, companies that provide commercial services maintain lengthy privacy policies that advise users that their email addresses or other information may be shared with other firms. But as with privacy policies from TiVo or Walgreen, secondary firms such as Epsilon are not named.
Although consumers may not be aware that their data are being shared with multiple companies, such outsourcing is commonplace in the e-commerce realm — and the potential for attack is no secret to firms involved.
"This is a widely understood and prevalent risk," said Brady, who himself received messages from Best Buy, Ralphs and JPMorgan Chase that his personal email address had been compromised. "There are constantly people trying to break into these data repositories."
The companies that were victimized by the attack generally said little about the extent of the security breach. A spokeswoman for Best Buy declined to comment on the number of customers affected.
Krista Wierzbicki, a spokeswoman for TiVo, referred to a brief release on the company's website, which noted that it was conducting an "internal investigation" to verify the information provided to the company by Epsilon.
She declined to say how many TiVo customers were affected.

By Rob Pegoraro

More spammers may know your e-mail address and your name after a major online marketer saw its database compromised.
Epsilon Data Management issued a press release on Friday warning that “a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system.” The Irving, Tex., firm said it discovered the problem on Thursday and had since determined that only e-mail addresses, names or both had been exposed by the breach.
For those unfamiliar with the company before this weekend — which probably includes most readers, as well as myself — Epsilon calls itself“the world’s largest permission-based email marketing provider.” This subsidiary of Plano, Tex.-based, Alliance Data Systems reports sending more than 40 billion e-mail messages a year on behalf of 2,500-plus client firms.
Those are the companies — to name a few, Best Buy, Capital One, Walgreen’s and TiVo — who would now be e-mailing you if your name or address were among those compromised.
Despite doing business with at least two Epsilon clients, I have yet to get any such apology. But my colleague Hayley Tsukayama received one such “we apologize for any inconvenience this may have caused you” note from U.S. Bank on Saturday. That message clarified that “we want to assure you that U.S. Bank has never provided Epsilon with financial information about you.”
And that’s the important point: While your e-mail address may be more public than before, other data about you is not. That makes this a much smaller problem than such past data breaches as the General Services Administration’s 2010 exposure of the names and Social Security Numbers of all of its 12,000 employees, or the long series of screwups that saw tens of millions of credit-card transactions compromised in the last five years alone.
Compared with that sorry record — and in light of the near inevitability of an e-mail account getting spammed — Epsilon’s error looks like a minor flub. But if you have been using only one account for all of your correspondence, instead of the more advisable policy of employing a secondary address for online shopping and bill payment, this could easily be more of an annoyance.
Have you received any apology-grams from Epsilon clients? Have any of them put any more creativity into their “sorry about your e-mail” notes than others?

http://www.securityweek.com/massive-breach-epsilon-compromises-customer-lists-major-brands

More customers exposed as big data breach grows

(Reuters) - The names and e-mails of customers of Citigroup Inc and other large U.S. companies, as well as College Board students, were exposed in a massive and growing data breach after a computer hacker penetrated online marketer Epsilon.
In what could be one of the biggest such breaches in U.S. history, a diverse swath of companies that did business with Epsilon stepped forward over the weekend to warn customers some of their electronic information could have been exposed.
Drugstore Walgreen, Video recorder TiVo Inc, credit card lender Capital One Financial Corp and teleshopping company HSN Inc all added their names to a list of targets that also includes some of the nation's largest banks.
The names and electronic contacts of some students affiliated with the U.S.-based College Board -- which represents some 5,900 colleges, universities and schools -- were also potentially compromised.
No personal financial information such as credit cards or social security numbers appeared to be exposed, according to the company statements and e-mails to customers.
Epsilon, an online marketing unit of Alliance Data Systems Corp, said on Friday that a person outside the company hacked into some of its clients' customer files. The vendor sends more than 40 billion e-mail ads and offers annually, usually to people who register for a company's website or who give their e-mail addresses while shopping.
"We learned from our e-mail provider, Epsilon, that limited information about you was accessed by an unauthorized individual or individuals," HSN, also an e-commerce operator, said in an e-mail to customers on Sunday.
"This information included your name and e-mail address and did not include any financial or other sensitive information. We felt it was important to notify you of this incident as soon as possible."
Citigroup customer names and some credit card customers' e-mail addresses -- but no account information -- were part of the data breach, the third-largest U.S. bank said on Saturday.
The College Board, which administers the SAT admissions tests, on Saturday warned students about the breach and asked them to be cautious about receiving "links or attachments from unknown third parties," according to two e-mails reviewed by Reuters.
The not-for-profit organization is in contact with more than 7 million students, according to its website. It did not immediately return calls for comment.
PROBING FOR ANSWERS
Law enforcement authorities are investigating the breach, though it was unclear on Sunday how many customers or students had been exposed. Epsilon is also looking into what went wrong.
"While we are cooperating with authorities and doing a thorough investigation, we cannot say anything else," said Epsilon spokeswoman Jessica Simon. "We can't confirm any impacted or non-impacted clients, or provide a list (of companies) at this point in time."
Capital One, which also runs a bank, and Walgreens, the largest U.S. drugstore, said the Epsilon hacker accessed its customer e-mail addresses, but no personally identifiable information.
TiVo, a maker of digital video recorders, said the information that was obtained was limited to e-mail addresses and clients' first names.
The incident comes three years after hackers penetrated Heartland Payment Systems, a credit and debit card processor, in one of the biggest identity-theft cases in U.S. history.
In that case, notorious hacker Albert Gonzalez led a ring that stole more than 40 million payment card numbers, and was later sentenced to 20 years in prison.
On Friday, JPMorgan Chase & Co, the second-largest U.S. bank, and Kroger Co, the biggest U.S. supermarket operator, said that some customers were exposed as part of the Epsilon data breach.
Citigroup announced that it had been affected on Saturday evening. Spokesman Sean Kevelighan said the bank started informing its customers of the breach on Friday through a link on its website.
Some of Epsilon's other clients include Verizon Communications Inc, Blackstone Group LP's Hilton Hotels, Kraft Foods Inc, and AstraZeneca.
(Reporting by Jonathan Spicer and Maria Aspan, editing by Maureen Bavdek, Diane Craft and Gunna Dickson) 

SecurID Company Suffers a Breach of Data Security


SAN FRANCISCO — The RSA Security division of the EMC Corporation said Thursday that it had suffered a sophisticated data breach, potentially compromising computer security products widely used by corporations and governments.
The company, which pioneered an advanced cryptographic system during the 1980s, sells products that offer stronger computer security than simple password protection. Known as multifactor authentication, the technology is typically based on an electronic token carried by a user that repeatedly generates a time-based number that must be appended to a password when a user logs in to a computer system.
RSA, which is based in Bedford, Mass., posted an urgent message on its Web site on Thursday referring to an open letter from its chairman, Art Coviello. The letter acknowledged that the company had suffered from an intrusion Mr. Coviello described as an “advanced persistent threat.”
In recent years a number of United States companies and government agencies have been the victim of this type of attack, in which an intruder either exploits an unknown software vulnerability or in some way compromises the trust of an employee to take command of a computer or an entire network within a company.
In 2009, for example, Google fell victim to an attack that it said had originated in China, and it ended commercial operations in the country in response.
Mr. Coviello said that the company’s investigation had revealed that the intruder successfully stole digital information from the company that was related to RSA’s SecurID two-factor authentication products. He did not give precise details about the nature of the information, but said it could potentially reduce the effectiveness of the system in the face of a “broader attack.” The company said that there was currently no indication that the information had been used to attack its customers.
“We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our I.T. infrastructure,” Mr. Coviello said. “We also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.”
Company officials did not return phone calls seeking comment on Thursday.
Despite the lack of detail, several computer security specialists said the breach could pose a real threat to companies and government agencies who rely on the technology.
One possibility, said Whitfield Diffie, a computer security specialist who was an inventor of cryptographic systems now widely used in electronic commerce, is that a “master key” — a large secret number used as part of the encryption algorithm — might have been stolen.
The worst case, he said, would be that the intruder could produce cards that duplicate the ones supplied by RSA, making it possible to gain access to corporate networks and computer systems. Mr. Diffie is vice president for information security and cryptography at the Internet Corporation for Assigned Names and Numbers.
In addition to posting the chairman’s letter, the company submitted a filing to the Securities and Exchange Commission in which it stated that it did not expect the theft to have a financial impact.
RSA was founded in 1982 by a small group of technologists who at times were actively opposed by the National Security Agency, which was trying to limit the spread of sophisticated cryptography technology. In 2009, the company said publicly that its SecurID system was being used by 40 million customers. Last year it said its technology was used to secure the identities and assets of more than 250 million people. 


No comments: