Adobe Systems will pay a $1 million settlement to 15 states for its 2013 data breach, which at the time was one of the largest known breaches of user account data.
See Also: Secrets to a Simpler Security Incident Response
The settlement resolves consumer protection, data security and privacy claims against the company," Massachusetts' Attorney General's office says in a statement. It also requires Adobe to put in place defenses to better protect data.
Parties to the agreement are Arkansas, Connecticut, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North Carolina, Ohio, Oregon, Pennsylvania and Vermont, where a total of 534,000 victims lived. The settlement works out to be less than $2 per victim.
"It is good to see that the states tried to recover losses sustained by some of their residents, but it is unlikely scalable to the actual losses sustained by many consumers," says Alex Holden, CISO at Hold Security, who discovered Adobe's breach.
38 Million Accounts Affected
Adobe disclosed a series of data breaches in October 2013. It initially believed that only 2.9 million accounts were affected, but three weeks later said the breach involved 38 million active accounts. The full stolen data, a 3.8GB file, contained 153 million accounts.
The stolen data included names, addresses, phone numbers, email addresses, usernames and encrypted payment card numbers and expiration dates.
The states alleged that Adobe "did not take reasonable steps to protect consumers' personal information or to promptly detect the attack and prevent the theft," according to Massachusetts' Attorney General's office.
The money will be split among the states depending on the number of victims who reside in each. For example, North Carolina, whose attorney general's office released a statement on the settlement, will get more than $71,000 for its 52,734 victims. Massachusetts says its share is more than $70,000 for 53,000 victims.
The financial penalty in the settlement probably pales in comparison to the legal fees Adobe has incurred, says Troy Hunt, an Australian data breach experts who runs the Have I Been Pwned breach notification website.
"I think the most interesting thing about this is here we are three years later, and the saga is still playing out," Hunt says. "$1 million doesn't seem like much. You have to wonder what three years of lawyers and court wrangling would have added up to."
In 2015, Adobe chose to settle a class-action suit filed in federal court in California related to the 2013 breach. The terms of the settlement were not disclosed, but Adobe ended up paying $1.2 million of the plaintiffs' legal fees (see Adobe Plans to Settle Breach Lawsuit).
Source Code Also Stolen
The breach occurred after attackers compromised one of Adobe's public-facing web servers and then used that access to move laterally through its network, according to the Massachusetts Attorney General's office. Adobe "received an alert that the hard drive for one of its application servers was nearing capacity," it says.
"In responding to the alert, Adobe learned that an unauthorized attempt was being made to decrypt customer payment card numbers maintained on the server," according to the statement.
The attackers also stole Adobe source code, which was also discovered by Holden. He found the code stashed on a server run by a hacking gang. The source code had been encrypted, or stolen in that fashion, but the files were left unprotected on the server when Holden found it.
The theft of source code, which included Adobe's ColdFusion web server software, is almost an incalculable loss that also likely caused financial issues for other customers not party to the settlement, Holden says. It's possible hackers could develop zero-day exploits from the ColdFusion source code, he says.
"Exploitations of Adobe's web server product ColdFusion led to thousands of sites being compromised and losses of even more data," Holden says.