SecurID Data Breach Cost RSA $66 Million

A data breach that resulted in the theft of information related to its SecurID authentication product cost RSA Security and its parent company EMC $66 million so far.

According to the Washington Post, the sum was revealed in an earnings call on Tuesday. "We incurred an accrued cost associated with investigating the attack, hardening our systems and working with customers to implement our remediation programs," EMC’s executive vice president David Goluden said.

The costs included expenses associated with monitoring the networks of customers who expressed concerns over the integrity of the product after the breach.

The intrusion occurred in March and was the result of a spear phishing attack against RSA employees which exploited a zero-day Flash Player vulnerability.

The company was very vague following the breach saying only that information regarding its SecurID product was targeted, but that its customers are not at risk.

SecurID is a two-factor authentication solution consisting of a hardware token that generates unique one-time use codes. It is estimated that there are over 40 million SecurID tokens in existence, the product being used by thousands of companies, organizations and government agencies around the world.

RSA was criticized by the information security community for its lack of transparency regarding this incident and in May it was reported that a cyber attack against Lockheed Martin involved cloned SecurID devices.

Following the attack and the revelation that other military contractors might also have been targeted as a result of its data breach, RSA Security offered to replace all SecurID tokens for concerned customers.

It's not clear how many customers requested replacements so far and how many of these requests have been honored. However, considering that the $66 million costs were reported as part of the financial results for the second quarter, it's likely that they don't include replacements.