Nomad_Soul - Fotolia
Adobe Systems agreed to a settlement regarding its 2013 data breach that will pay a total of $1 million to 15 state attorneys general and require the software company to implement new security practices.
The 15 states that participated in the Adobe data breach investigation and settlement include Arkansas, Connecticut, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, North Carolina, Ohio, Oregon, Pennsylvania and Vermont. The Ohio State Attorney General's Office, which announced the settlement Thursday, said the multistate investigation explored "whether Adobe had used reasonable measures to protect its systems from an attack or immediately detect an attack."
The September 2013 Adobe data breach exposed millions of customer names, addresses, telephone numbers, e-mail addresses and usernames, as well as encrypted passwords and credit card information. The software company detected an intrusion on its network and alerted customers as well as initiated a forced password reset for affected customer accounts. The 38 million customers believed to have been affected by the breach included 534,000 residents of the 15 states involved in the settlement.
While the multistate investigation determined Adobe was able to stop the attacker from decrypting the credit card and password information on its servers, the attorneys general concluded the software company was in violation of state consumer protection and personal information safeguard statutes. "Adobe did not employ reasonable security measures to protect its systems and personal information on them from an attack that originated at the public-facing server," according to the Assurance of Voluntary Compliance order included in the settlement. "In the Attorneys General's view, the risk of unauthorized access through the public-facing server was reasonably foreseeable."
The compliance agreement includes several disputes between Adobe and the states. The attorneys general claimed that "a limited number of unencrypted passwords may have been stolen as well," though it did not provide further details. Adobe, however, stated its investigation that it "found no evidence that decrypted payment card numbers were ever exfiltrated from its systems."
In the compliance agreement, Adobe said it had already taken several steps to improve security following the breach, including enforcing two-factor authentication on the affected servers, removing encrypted customer passwords from those servers, setting up additional network monitoring sensors and alerts, and implementing tokenization for all payment card numbers. While Adobe denied the claims of the attorneys general regarding inadequate security measures, the company agreed to several assurances, including compliance with several state consumer protection and personal information safeguard statutes; timely notification of both residents and the attorneys general's offices in the event of future breaches; and conducting reviews of information security policies and procedures at least twice each year.
In addition, Adobe agreed to provide an audit report to the office of the Connecticut attorney general that will be prepared by an independent third-party auditor. The audit must be conducted within the next four months, and if any security deficiencies are discovered, Adobe must take "corrective action within a reasonable time frame." Adobe also pledged to perform ongoing risk assessments and penetration testing and create an alert system that will notify the company if "its exfiltration reporting sources are not operating normally."
Read about the security lessons learned from the Adobe data breach
Learn more about troubling trends with data breach lawsuits
Find out about the benefits of tokenization for PCI DSS compliance