Adobe data breach affects 2.9 million users

Blue padlocks with one red padlock representing security hole

Adobe Systems has suffered a massive data breach in which the personal details of 2.9 million users have been stolen, along with the source code for its Adobe Acrobat and ColdFusion programmes.

According to a blog post by Brad Arkin, Adobe's chief security officer, hackers were able to steal customers' names, encrypted credit and debit card numbers, their expiration dates, Adobe IDs and encrypted passwords.

Companies need to ensure they're protecting all of their assets.

Arkin said source code for "numerous Adobe products" was also removed from the firm's systems, but security researcher Brian Krebs specifically identified the company's ColdFusion web application platform and Acrobat family of products as being amongst those affected.

Krebs, who with fellow researcher Alex Holden, discovered the stolen source code used by cyber criminals believed to have attacked LexisNexis and Dun & Bradstreet earlier this year, further suggested users of Adobe's Creative Cloud and Revel cloud services were also disproportionately affected.

Peter Armstrong, director of cybersecurity at Thales UK, said the breach suggests companies like Adobe are either not taking cyber security seriously enough or do not know how to tackle it.

"Companies need to ensure they're protecting all of their assets, and that includes people, places and information. Security threats present themselves in a number of forms, and these increase by the day if not hour, minute or second," he said.

"Regulation in this case is a necessity to alter corporate behaviour. Once the full extent of the cyber threat is uncovered, greater collaboration on cyber issues should lead to an improvement in cyber awareness and cyber standards," Armstrong added.

Paul Ayers, VP EMEA at enterprise security firm Vormetric, added that - while it is good Adobe protects credit card information using encryption - he is concerned other personally identifiable information, such as addresses, owned software licenses and email addresses may be out in the open.

"This information could potentially be used for a very targeted spear phishing attack coming from Adobe', one that recommends a necessary software update is available to be downloaded with an email that seems very real because of all the accurate details it contains," Ayers said.

"From the reports out so far and the information available, you could draw the conclusion that Adobe used encryption to meet compliance requirements but not to protect what matters. Now, they have joined the ranks of Cisco and RSA which have lost valuable source code to a hacker.

"If Adobe had the appropriate security intelligence there was a much better chance that we would have never read these reports about their breach," he concluded.

IT Pro contacted Adobe for comment, but the company had not responded at the time of publication.

Jane McCallion
Managing Editor

Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.