Attorneys general in over a dozen U.S. states announced on Thursday that they reached a $1 million settlement with Adobe Systems over the massive data breach suffered by the company in 2013.
Authorities in 15 states accused Adobe of failing to employ reasonable measures to protect customers’ personal information and promptly detect malicious activity within its network. As part of the settlement, the software giant has agreed to implement new policies and practices in an effort to prevent similar breaches in the future.
The measures that Adobe must take include effectively segregating payment card data from public-facing servers, using tokenization in payment processing, performing ongoing risk assessments and penetration testing, and providing security training to employees.
The $1 million will be paid by Adobe to attorneys general as designated by the Connecticut Attorney General’s Office, which led the investigation into the data breach.
Connecticut AG George Jepsen announced that his state will get $135,095.71, of which $25,000 will go to the Department of Consumer Protection’s consumer privacy protection guaranty and enforcement account, and the rest to the state’s General Fund.
The other states involved in the investigation are Arkansas, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North Carolina, Ohio, Oregon, Pennsylvania and Vermont.
Adobe realized that its systems were breached in September 2013, when it noticed that one of its application servers’ hard drive was nearly full. An investigation revealed that unauthorized parties had been trying to decrypt encrypted customer payment card numbers.
Adobe confirmed at the time that the attackers managed to steal user information and source code, but claimed there was no evidence that any unencrypted payment card numbers were exfiltrated. The breach was believed to affect 38 million Adobe customers and some reported that more than 150 million records were compromised.
In 2015, the company settled a class action and agreed to pay an undisclosed amount to users and roughly $1.2 million in legal fees.
Related: Adobe Breached Privacy Act, Says Australian Information Commissioner
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
