> series: anatomy_of_a_breach —— part: 026 —— target: rsa_security —— stolen: securid_token_seeds —— tokens_replaced: 40,000,000<span class="cursor-blink">_</span>_
On 17 March 2011, RSA Security — the EMC subsidiary responsible for the SecurID two-factor authentication token used by tens of thousands of organisations worldwide, including military and intelligence agencies — disclosed that it had suffered an 'extremely sophisticated cyber attack' that had extracted information related to its SecurID products. The stolen data included the 'seeds' — the secret values used to generate the one-time codes displayed on each token. If the seeds were compromised, an attacker who also knew a user's PIN could impersonate any SecurID-protected login.
The breach sent shockwaves through the defence and intelligence communities. SecurID tokens were the primary second factor for VPN access to some of the most sensitive networks in the world, including those of US defence contractors Lockheed Martin, Northrop Grumman, and L-3 Communications. Within weeks, attackers would use the stolen RSA data to breach Lockheed Martin's network — confirming that the RSA compromise was not an end in itself but a means to a larger objective. RSA ultimately replaced approximately 40 million SecurID tokens at an estimated cost of $66 million.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping CallThe RSA breach began with a phishing email. An employee at RSA received an email with the subject line '2011 Recruitment Plan' containing an Excel spreadsheet with an embedded Adobe Flash zero-day exploit (CVE-2011-0609). When the employee opened the attachment, the exploit installed a backdoor — a variant of the Poison Ivy remote access trojan — giving the attackers a foothold inside RSA's network.
The RSA breach is the definitive supply chain attack case study. The attackers did not target Lockheed Martin, Northrop Grumman, or L-3 Communications directly — they targeted RSA, the vendor that supplied the authentication technology those organisations depended on. By compromising the supplier, they compromised every customer. This is the same supply chain pattern we documented in the Network Solutions breach and that defines modern attacks like SolarWinds (2020) and MOVEit (2023).
The RSA breach was a harbinger. SolarWinds (2020), Kaseya (2021), MOVEit (2023), and the ongoing cascade of supply chain compromises all follow the same pattern: compromise the vendor, compromise the customers. For organisations in the defence supply chain and regulated sectors, supply chain security is no longer optional — it is a fundamental component of the threat model.
Our penetration testing assesses your organisation's own security posture. Cyber Essentials Plus certification demonstrates that your security controls meet the baseline expected by your customers. SOC in a Box monitors for the indicators of supply chain compromise — anomalous authentication patterns, unexpected data flows, and credential harvesting. And UK Cyber Defence provides incident response when a supply chain breach affects your organisation.
The RSA breach proved that supply chain compromise can invalidate your security controls overnight. Our <a href="/penetration-testing">penetration testing</a> validates your own defences. <a href="/cyber-essentials">Cyber Essentials</a> certifies your baseline. And <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects when something in your supply chain goes wrong.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call