RSA posted an open letter to customers this week revealing that it had been the target of an advanced persistent threat (APT) that led to the compromise of sensitive information related to its SecurID authentication tokens.
The information shared in the letter is concerning for customers, but what is even more concerning at this point is what is not being shared. RSA has been scarce on details–basically just saying that it is “confident” there is no immediate threat of an exploit resulting from the hack, and that it has “no evidence” that any other products are impacted. But, other than that, RSA just wants customers to not panic, and have faith that RSA has everything under control.
Art Coviello’s letter states, “As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat.”
The problem is deciding who gets to define “as appropriate”. Many customers feel it would be “appropriate” for RSA to be much more forthcoming with details about what information, specifically, was compromised by the hack so customers can better understand the threat and be armed with information necessary to determine the scope and impact of the potential threat, and take proactive steps to guard against any potential SecurID hacks.
Perhaps, RSA is unsure whether the attackers even really realize what they have, and they fear that divulging too many details could exacerbate the problem by pointing would-be attackers in the right direction. That seems like a reasonable possibility. But, for now RSA is just being vague about the details of the SecurID hack, and what RSA isn’t saying seems to be more revealing than what RSA is saying.