Business Cloud News
Adobe says the data breach compromised IDs, passwords and email of 2.9 million customers, and an undisclosed amount of payment

Adobe says the data breach compromised IDs, passwords and email addresses for 2.9 million customers.

Adobe confirmed Thursday that it has suffered significant security breaches compromising the data of 2.9 million customers and valuable source code for its software offerings when it was targeted in a “sophisticated” cyber attack this week, an event some experts say could have been avoided had the company made larger strides to protect its data.

Adobe has a history of having had security vulnerabilities found in its products, including a critical flaw in its Reader, Acrobat and Flash Player software in 2010 that allowed hackers to take control of computers running the software. This and other minor security flaws found in the company’s products even prompted former Apple chief executive officer Steve Jobs to criticise the company’s buggy, exploitable software (which he then used to justify not supporting Flash). But this time, the company’s servers were hacked.

According to Adobe the digital intruders accessed encrypted customer IDs and passwords. “We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders,” Brad Arkin, chief security officer at Abode wrote on the company’s blog. “At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems.”

“We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident.”

Arkin also said that valuable source code for a number of Abode products was stolen in a separate, related attack, which could give hackers a backdoor into machines running the company’s software suite.

Adobe says it is in the process of notifying affected customers and helping them change their passwords. For customers that have had payment information exposed, Adobe is offering the option of enrolling in a one-year complimentary credit monitoring programme, paid for by the company.

But compensation aside, some security experts suggest Adobe could have gone further to protect its customer data.

“It is good that Adobe protected their customer PII with encryption, which should protect credit card numbers. However, Adobe didn’t mention the protection of customer addresses, owned software licenses, email addresses and perhaps a lot of other useful targeting information for a hacker,” said Paul Ayers, vice president EMEA at Vormetric, an enterprise data security firm.

“This information could potentially be used for a very targeted spear phishing attack coming from “Adobe”, one that recommends a necessary software update is available to be downloaded with an email that seems very real because of all the accurate details it contains,” he added.

Ayers says that from the reports so far and from available information one could draw the conclusion that Adobe used encryption to meet compliance requirements, but doesn’t seem to do much beyond that. And as Adobe shifts to a cloud-based delivery model for its software suite the company, like others shifting to a similiar model, may face further complications around ensuring a dependable security perimeter around its products.

“We don’t know enough at this time to know if firewalling their data would have helped. However, what we do know is that controlling and limiting data access to only those who need it significantly reduces the risk surface. We also know that closing back doors to data access by controlling what privileged users can do significantly reduces the risk of hackers compromising these users in order to gain access to servers,” he said.

“From the cloud standpoint, managing users in this environment becomes inevitably more complicated – the attack surface is increased. As a multi-tenant environment run by a third-party provider, that may (or may not) have the proper security safeguards in place, it is up to the data owner to make sure they understand what controls are in place to protect their information ,” he added.

Some believe Adobe – like many companies – should move to embrace new forms of user authentication in order to reduce the risk of compromising sensitive customer information.

“What is proven time and again is that username and password security systems are inherently weak, offering a wide range of attack vectors to criminals, along with a valuable harvest of private customer information,” said Brian Spector, chief executive officer at Certivox, a company specialising in security.

“The inherent problems with storing such complete information on one server and the fact that many users tend to use the same password across multiple online accounts really adds to the argument that it is time for companies to move beyond username and passwords and find a more secure method,” Spector added.