Bank of America (NYSE: BAC), Wells Fargo (NYSE: WFC), Citigroup (NYSE: C) and JPMorgan Chase (NYSE: JPM) are among RSA's customers opting to replace their SecurID tokens after the vendor finally admitted Monday that the tokens may not be secure. A security breach at RSA in March left the tokens vulnerable, but the company has not said why it took so long to let customers know, report Nelson D. Schwartz and Christopher Drew at The New York Times.

Other RSA customers, including some defense contractors, are preparing to use alternative security measures, such as smart cards, in the wake of the security failure. Lockheed Martin's network was hacked at the end of May, and it is widely thought that the attack was carried out by the same party that hacked into RSA in March. Lockheed plans to replace 45,000 of its SecurID tokens.

The way RSA has communicated information about the incident to its customers--downplaying the problem for many weeks--is generating considerable anger. Until Monday, RSA "shared their party line that everything is fine--pay no attention to the explosion in the corner," said Gary McGraw, chief technology officer for Cigital, a computer security consulting company. "They came around, but they came around late."

For more:
- see Schwartz and Drew's article at The New York Times
- see this article at sister publication FierceComplianceIT

Related Articles:
Stolen RSA SecurID data blamed for hack attempts at L-3 Communications
Lockheed Martin confirms intrusion, shuts down remote network access
RSA tells more about SecurID breach