Adobe Systems Inc. has confirmed the report of a massive data breach involving the compromise of nearly 3 million customer records and source code from an as-yet-undetermined number of Adobe software products.
The breach, first reported Thursday by Brian Krebs of KrebsOnSecurity, is believed to involve payment card data and other data from approximately 2.9 million Adobe customers, according to the company's Chief Security Officer Brad Arkin. Adobe also confirmed attackers accessed the source code of an undetermined number of the company's software titles; its ColdFusion Web development software and its Acrobat document creation and management software are believed to be included.
Arkin confirmed the data breach Thursday in a blog post, stating that customers whose credit or debit card information was potentially affected will receive a notification letter regarding the incident. Adobe will be taking the precautionary measure of resetting relevant customer passwords, with the company advising those customers to also change their login information on any other website where they use the same details.
"We deeply regret that this incident occurred," Arkin said in a statement. "We're working diligently internally, as well as with external partners and law enforcement, to address the incident."
Regarding the possible compromise of its software source code, Arkin noted that, as of yet, the company is unaware of any zero-day exploits stemming from these "sophisticated" attacks. The company recommended customers run current, supported versions of its software and apply any outstanding security updates. The company said its Acrobat Enterprise Toolkit and ColdFusion Lockdown Guide contain in-depth security guidance for those particular products.
"We are not aware of any zero-day exploits targeting any Adobe products," Arkin noted. "Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident."
Affected customers will be given the option of enrolling in complimentary credit monitoring for one year. Aaron Titus, chief privacy officer at New York-based data protection vendor Identity Finder LLC, noted that a free year of credit monitoring has become an "industry de facto standard" after such data breaches. Though he commended Adobe for making the offer to customers, Titus speculated that the move was mostly to address the PR aspect of the breach, as Arkin indicated the stolen card info was likely encrypted.
"The objective risk to their customers is probably pretty low," Titus said. "The thing that will make their customers secure is the fact that the numbers were encrypted to begin with, not that they offered credit monitoring to their customers."
Titus also mentioned that the compliance aspect of this situation will continue to play out, with the loss of payment card data and related PCI DSS compliance ramifications likely to result in some penalty for the software vendor.
Adobe was first made aware of the attacks on its systems roughly a week ago when Krebs and Alex Holden, chief information security officer of Hold Security LLC, alerted the company to evidence of its source code residing among a 40 GB stash of Adobe data on the same server used by criminals in the breaches of LexisNexis, Dun & Bradstreet and Kroll. In an interview with Krebs, Adobe's Arkin indicated the software vendor has been undergoing a "rigorous review" of the ColdFusion code since the compromise, and Adobe is confident the code has "maintained its integrity."
"We're still at the brainstorming phase to come up with ways to provide [a] higher level of assurance for the integrity of our products, and that's going to be a key part of our response," Arkin told Krebs.
Though no attacks are directly attributable to this breach yet, Titus speculated that it would only be a matter of time until active exploits showed up in the wild. "When you have access to the source code, you can pick that apart until the end of time," he added.
Adobe's security strategy has been questioned by many in the industry over the years, though more recently it has been lauded under Arkin's leadership, specifically for following Microsoft's lead by implementing a regularly scheduled patch-release cycle in 2009. But with this breach and likely compromise of source code, Titus said further questions will be asked about the security integrity of its products.
"Adobe will need to be on the defensive and assure many enterprises that their software suites remain secure. If I was a CIO or CISO, I would be very concerned right now as Adobe products pose a much higher risk vector," Titus commented. "If you weren't already buying Adobe products with a skeptical eye, hopefully this will be a wakeup call from a security standpoint."