News Stay informed about the latest enterprise technology news and product updates.

Adobe data breach settlement pays $1 million to 15 states

Adobe agreed to pay several states a total of $1 million and agreed to new compliance measures as part of a settlement over the company's 2013 data breach.

Adobe Systems agreed to a settlement regarding its 2013 data breach that will pay a total of $1 million to 15 state...

attorneys general and require the software company to implement new security practices.

The 15 states that participated in the Adobe data breach investigation and settlement include Arkansas, Connecticut, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, North Carolina, Ohio, Oregon, Pennsylvania and Vermont. The Ohio State Attorney General's Office, which announced the settlement Thursday, said the multistate investigation explored "whether Adobe had used reasonable measures to protect its systems from an attack or immediately detect an attack."

The September 2013 Adobe data breach exposed millions of customer names, addresses, telephone numbers, e-mail addresses and usernames, as well as encrypted passwords and credit card information. The software company detected an intrusion on its network and alerted customers as well as initiated a forced password reset for affected customer accounts. The 38 million customers believed to have been affected by the breach included 534,000 residents of the 15 states involved in the settlement.

While the multistate investigation determined Adobe was able to stop the attacker from decrypting the credit card and password information on its servers, the attorneys general concluded the software company was in violation of state consumer protection and personal information safeguard statutes. "Adobe did not employ reasonable security measures to protect its systems and personal information on them from an attack that originated at the public-facing server," according to the Assurance of Voluntary Compliance order included in the settlement. "In the Attorneys General's view, the risk of unauthorized access through the public-facing server was reasonably foreseeable."

The compliance agreement includes several disputes between Adobe and the states. The attorneys general claimed that "a limited number of unencrypted passwords may have been stolen as well," though it did not provide further details. Adobe, however, stated its investigation that it "found no evidence that decrypted payment card numbers were ever exfiltrated from its systems."

In the compliance agreement, Adobe said it had already taken several steps to improve security following the breach, including enforcing two-factor authentication on the affected servers, removing encrypted customer passwords from those servers, setting up additional network monitoring sensors and alerts, and implementing tokenization for all payment card numbers. While Adobe denied the claims of the attorneys general regarding inadequate security measures, the company agreed to several assurances, including compliance with several state consumer protection and personal information safeguard statutes; timely notification of both residents and the attorneys general's offices in the event of future breaches; and conducting reviews of information security policies and procedures at least twice each year.

In addition, Adobe agreed to provide an audit report to the office of the Connecticut attorney general that will be prepared by an independent third-party auditor. The audit must be conducted within the next four months, and if any security deficiencies are discovered, Adobe must take "corrective action within a reasonable time frame." Adobe also pledged to perform ongoing risk assessments and penetration testing and create an alert system that will notify the company if "its exfiltration reporting sources are not operating normally."

Next Steps

Read about the security lessons learned from the Adobe data breach

Learn more about troubling trends with data breach lawsuits

Find out about the benefits of tokenization for PCI DSS compliance

Dig Deeper on Information security laws, investigations and ethics

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What security policies changes will best prevent another Adobe data breach?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close