What to Do When Hackers Hack Your Anti-Hacking Company

This one sure is ugly. But when San Francisco-based computer security company RSA’s security was breached by a “sophisticated” hacker, the company came out ahead in the way it handled the incident.

Not going all Baghdad Bob on its customers and the public, RSA announced it had been hacked yesterday, in an “open letter” on its website from executive chairman Arthur J. Coviello, Jr.

“Recently,” it read, “Our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure.”

RSA told the public its data had been accessed by what is called an Advanced Persistent Threat, meaning a long-term information pull that aims to draw out customer information and corporate intellectual property.

But in the face of that, RSA followed the principle of “timing is everything” in its announcement; it owned up to the problem; it didn’t spin the negative aspects of the security breach away; and it ended the bad-news cycle by reminding its users what they could do to ward off such attacks. There was no mention of the attack on its list of press releases to reporters, but at least it came clean once the story broke.