Data breach cost SecurID users time and resources

$66m RSA data breach also cost customers SecurEnvoy says

The SecurID data breach at RSA Security earlier this year cost the company around $66 million, it has confirmed.

However SecurID users also spent time and resources due to ordering and reissuing new hardware tokens for business users, SecurEnvoy says.

Tokenless authentication specialist SecurEnvoy said that while some estimates assessed the corporate costs at around $100 per user to replace their SecurID tokens, the real costs to both EMC and its clients are likely to be even higher. 

"As well as the difficult-to-quantify indirect costs, there is also the issue that many organisations will have had to beef up their security in other areas, as the trustworthiness of the securID system will have – quite understandably - taken a hit in many businesses," said SecurEnvoy CEO Andy Kemshall.

"We've observed this trend when talking to potential new customers, who have woken up to the fact that they are now having to factor in the previously unplanned-for costs of redeploying new hardware tokens amongst their workforce, many of whom are scattered across a wide area."

If the organisations had used a software-based token system - or a tokenless authentication system that makes use of a mobile phone as an authentication vehicle - then the redeployment of replacement tokens would have been far less, and would take a lot less time, he added.

The $66 million price tag on the data breach included the cost of RSA investigating the attack, as well as hardening its systems and working with customers to remediate the problem.

The costs of remediating the security systems failure at EMC/RSA Security will have cost the firm's clients a vast amount of money to remediate, as well as develop workarounds for the compromised hardware token system, Kemsall said.

There are an estimated come in at around the 40 million SecurID tokens in active usage, so assuming a remediation cost of $100 per token, it is believed that RSA Security's customers will have spent $4 billion in solving the company's security failings.

"This is a lot of money and, as well as questioning why their IT departments are continuing to use a hardware system that could be compromised once again, client organisations should also be looking at alternative options that can save them money in the shorter, as well as longer term," Kemshall said.

"Hardware tokens are clearly a secure method of authenticating a user when accessing an IT system remotely, but if the underlying resource for that security is compromised, the fall-out can be significant.

"Companies should be looking for alternative solutions that do not rely on manufactures storing token seed record information."

Further reading:

See more on SecurEnvoy

Read more about the costs of the RSA Security fiasco

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them

Close