Adobe was hacked, credit card and other data of est. 2.9 million customers accessed

adobe-logoAs reported by various media outlets, Adobe said earlier this week that its source code had been accessed. This was on Thursday followed by a statement that customer information including names, encrypted credit/debit card numbers, expiration dates and “other information relating to customer orders” may have been accessed.

The firm first was made aware of the breach when journalist Brian Krebs and researcher Alex Holden, CISO of Hold Security LLC, encountered a large file with source code on the server of cybercriminals who were believed to have hacked their way into the databases of data aggregators, including LexisNexis, Kroll Background America (now part of HireRight, managed by Altegrity), and Dunn & Bradstreet. The crime group, known as the SNSDOB gang, systematically stole personal data from them and then funneled it to hard-core identity thieves, as detailed in Krebs’ coverage on his blog.

Upon Krebs’ notification, Adobe told him that they believe the access occurred in mid-August and has been investigated since Sep 17th.

As a preventative measure, the company has reset the passwords of all those customers whose accounts are believed to have been accessed. According to Adobe, US customers whose information was compromised will be offered the option to enroll in a 1-year complimentary credit monitoring membership, where available.

While the compromised customer data will not affect users of Adobe’s free products and plugins, such as Adobe Reader, Adobe Flash Player, Adobe AIR and Adobe Shockwave Player, it is of concern e.g. to many of the company’s Revel and Creative Cloud account users who by now presumably have been notified via email that they need to reset their passwords. In addition, Adobe will be sending notification letters over the course of the next 2 weeks to customers whose accounts were breached.

What is somewhat worrisome but not surprising is that Adobe did not bother to alert its customers of this breach until the aforementioned expose by krebsonsecurity.com. As USA Today points out, this is despite that fact that “all but four states have enacted data loss disclosure laws which were modeled after the the pioneering California statute that was the first to require companies to notify customers, should any personal data held by the business turn up lost or stolen.” According to datalossdb.org, only Alabama, Kentucky, New Mexico and South Dakota do not have data loss disclosure laws.

Several information security specialists expect an increase in attacks geared against previously unknown vulnerabilities in numerous Adobe products, now that their source code may be available to potential perpetrators.

For assistance in ensuring that your computer(s) are properly protected, and for help in reviewing and updating your current information security policies and procedures, contact us today.

Share