H4cked Off: How the hell did the RSA hack cost EMC £40m?

29 Jul 2011

Computing reporter Stuart SumnerStorage company EMC has admitted that the cyber attack on its security division RSA Security has cost it £40m, both in investigating the hack, and in tightening security to make sure it doesn't happen again.

I'm not entirely sure how you manage to spend that amount of money in those ways. How much does it cost to check your log files, scan your network for malware or oddities, and go through all your documents to see what has been accessed, when and by whom?

There's quite a bit of work there, so let's say you hire in some incredibly expensive external talent and it takes them a month. I still don't see how that can possible come to more than £1m tops.

And then you have to improve your security in the hope that someone somewhere might actually trust you enough to use your products again.

As part of this drive, RSA created a new CSO role, which it gave to Eddie Schwartz, who was already working at EMC, and originally at NetWitness, which EMC bought in April.

If they're paying him £39m, then that would both explain where the money went, and prompt an immediate change of career direction for myself, and probably most of you too.

Unless they're factoring in loss of sales, which is possible and would certainly come close to explaining the figure.

Companies are understandably reluctant to reveal their losses as a result of security breaches. They'd rather brush the whole thing under the carpet as soon as possible, and hope their customers suffer from amnesia.

Sony has probably lost far more as a result of its encyclopaedia of security mishaps, but it isn't telling us, besides to say that it has lost something (besides all credibility).

So had EMC properly secured RSA's network in the first place, what else could that £40m have bought?

Well for a start it's what the US military paid recently for the manufacture and delivery of the new XM-25 computer smart-rifles, complete with explosive shells and thermal imager sighting.

Are your competitors' sales teams all armed with smartphones? They're no match for the smart-rifles, and the thermal imaging should help track them down even in the comfort of their air-conditioned BMWs.

Or, how about Manchester City striker Carlos Tevez? £40m should be enough to prize him away, then simply install him in the foyer of your headquarters and make him do keepy-ups. That'll be more interesting than a few potted plants and a drinks dispenser.

Personally I'd plump for the Meamina, a luxury 200 foot boat available from Burgess Yachts. It lists one of its features as ‘teak decks'. And it leaves a cool million in loose change for important things like gin and helicopters.

So EMC, those are just a few things to reflect on as you eye the hole in your profits this quarter. For everyone else, go spend £50,000 upgrading your security then blow the rest on a teak-floored yacht.

Stuart Sumner, chief reporter and security geek

blog comments powered by Disqus

Reader comments

Please check your facts

You may want to check your facts on this. After the RSA incident, RSA took responsibility for remediating this threat not only for their own network but also for all of their customers. Do you know how many companies use RSA? Or better yet... how many large companies do you know that do NOT use RSA?

RSA not only reissued secure IDs for all their customers who requested but also paid to monitor the customer's networks for potential threats.

I can easily see how the cost for this can be so high.

Posted by: Julabela  30 Jul 2011