Attorneys general in over a dozen U.S. states announced on Thursday that they reached a $1 million settlement with Adobe Systems over the massive data breach suffered by the company in 2013.
Authorities in 15 states accused Adobe of failing to employ reasonable measures to protect customers’ personal information and promptly detect malicious activity within its network. As part of the settlement, the software giant has agreed to implement new policies and practices in an effort to prevent similar breaches in the future.
The measures that Adobe must take include effectively segregating payment card data from public-facing servers, using tokenization in payment processing, performing ongoing risk assessments and penetration testing, and providing security training to employees.
The $1 million will be paid by Adobe to attorneys general as designated by the Connecticut Attorney General’s Office, which led the investigation into the data breach.
Connecticut AG George Jepsen announced that his state will get $135,095.71, of which $25,000 will go to the Department of Consumer Protection’s consumer privacy protection guaranty and enforcement account, and the rest to the state’s General Fund.
The other states involved in the investigation are Arkansas, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North Carolina, Ohio, Oregon, Pennsylvania and Vermont.
Adobe realized that its systems were breached in September 2013, when it noticed that one of its application servers’ hard drive was nearly full. An investigation revealed that unauthorized parties had been trying to decrypt encrypted customer payment card numbers.
Adobe confirmed at the time that the attackers managed to steal user information and source code, but claimed there was no evidence that any unencrypted payment card numbers were exfiltrated. The breach was believed to affect 38 million Adobe customers and some reported that more than 150 million records were compromised.
In 2015, the company settled a class action and agreed to pay an undisclosed amount to users and roughly $1.2 million in legal fees.
Related: Adobe Breached Privacy Act, Says Australian Information Commissioner