March 22, 2011
from CUNA NewsNow and NWCUA Staff Reports
RSA, the security division of EMC, has been hit by hackers. In an open letter posted on its website, RSA said it experienced an "extremely sophisticated" attack in which information related to the company's SecurID two-factor authentication products were stolen.
The "tokens" are employed by millions of end users, including credit unions.
The number of Northwest credit unions affected by the data breach has not been reported. However, depending on the circumstances surrounding it, RSA may be liable to financial institutions in Washington for some of the cost of cleaning up the mess if the company is deemed negligent.
In 2010, Washington credit unions championed a state law that holds negligent data breachers responsible for the hard costs of protecting members following a data breach.
Under the law, a data breacher must take reasonable care to guard against unauthorized access to account information or face potential liability to financial institutions. A business is considered to have taken reasonable care if account information was encrypted or was certified compliant with the payment card industry data security standards adopted by the Payment Card Industry Security Standards Council, and in force at the time of the breach
The Washington law went into effect last year, but has not been tested in court.
“We likely will not know for months the circumstances surrounding this breach,” said Northwest Credit Union Association Senior Vice President & General Counsel Stacy Augustine, one of the writers of the Washington data breach law. “Until then, affected credit unions should respond to the law under their internal security policies.”
The NWCUA will keep Northwest Credit Union Association members updated as more details on this data breach are learned.
RSW & SecurID
SecurID adds an extra layer of protection to a login process by requiring users to enter a secret code number displayed on a key fob, or in software, in addition to their password. The number is cryptographically generated and changes every 30 seconds.
In an open letter on the company's website, RSA Executive Chairman Art Coviello categorized the attack as an "advanced persistent threat" and said a company investigation revealed "certain information being extracted from RSA's systems."
"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," Coviello said.
Customer and employee security related to other RSA products or personal identifiable information do not appear to have been compromised, Coviello said.