Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Adobe Plans to Settle Breach Lawsuit
Class-Action Suit Was Filed Over Compromised Cards, AccountsAdobe Systems is moving to settle a class-action lawsuit that was filed in the wake of a series of data breaches it first disclosed in October 2013. The breaches reportedly led to the compromise of more than 38 million customer accounts, including details relating to an estimated 3 million payment cards.
See Also: Effective Communication Is Key to Successful Cybersecurity
Adobe signed a memorandum in February 2015, agreeing to settle the lawsuit in return for all related claims being dismissed. U.S. District Court Judge Lucy H. Koh, who's presiding over the settlement agreement, then gave both sides until April 30 to hammer out an agreement and submit it to her for preliminary approval.
But the plaintiffs in the class-action lawsuit, in an April 22 joint settlement status report - agreed to by Adobe Systems - said that "while the parties have made significant progress with respect to the formal settlement agreement ... finalizing the formal settlement agreement has been more difficult and time consuming than they initially anticipated." Accordingly, both sides requested more time.
Koh has granted that request, and ordered that the deadline for the settlement agreement be moved to June 10.
Analysis: Why Settle?
News of the continuing settlement discussion follows the March announcement that a judge has granted preliminary approval to a $10 million settlement agreement between Target and consumers who were affected by its massive 2013 data breach.
Security experts say Adobe is likely pursuing a similar course of action, and settling in part to avoid having to defend the security defenses in which it chose - or chose not - to invest. "The [Adobe] case would have come under heavy public scrutiny being heard in Judge Koh's court, and if the settlement is anywhere near as lightweight as that paid by Target it will be a small price to pay for avoiding the spotlight," Al Pascual, director of fraud and security for Javelin Strategy & Research, tells Information Security Media Group. "These cases could very well be the start of a trend."
But the Adobe breach also differs from the Target breach in important ways, Avivah Litan, a vice president at Gartner Research, tells ISMG. "I think Adobe had much more pressure on them than a breached retailer has had," she says. "Their software is used by virtually every PC user, and vulnerabilities in their software have been a major attack vector for criminals in the past. This, combined with the fact that Adobe claimed [to have] strong information security practices, made it more likely that they would settle rather than let this case go to court."
Multiple Attacks
Attackers first gained unauthorized access to Adobe's servers in July 2013, and breached the databases containing personal information in August 2013, according to an order written by Koh. But the intrusion was not discovered until September 2013, which was "when independent security researchers discovered stolen Adobe source code on the Internet."
Adobe had initially reported that an attack against it had compromised 2.9 million customers' accounts (see Adobe Breach Affects 2.9 Million), before revising that figure to 38 million. At the time, Brad Arkin, chief security officer at Adobe, said it was part of a series of attacks, including an intrusion that compromised "source code for numerous Adobe products," including Adobe Acrobat, ColdFusion, and ColdFusion Builder. Arkin said the company believed that the different attacks were related.
At the time, Adobe notified all affected customers, reset the passwords for affected accounts, and offered a year of prepaid identify theft monitoring services for anyone whose card details were exposed.
Adobe Security: Inadequate?
Following the breach, a class-action lawsuit filed in November 2013 alleged in part that Adobe had under-invested in information security - vis-Ã -vis its competitors - and thus violated its own privacy policy, which promised that Adobe would "provide reasonable administrative, technical, and physical security controls to protect your information." They also said that these security deficiencies were not known, and thus that Adobe had mislead customers about the efficacy of its security practices.
Adobe fought the class-action lawsuit and requested that it be dismissed, arguing in part that while it had security deficiencies, these had been widely reported in the press, and thus customers should have known about them.
But in September 2014, Koh dismissed that argument and ordered the lawsuit to proceed, noting in her order that the affected customers faced the immediate threat of "sustaining some direct injury" as well as "real and immediate harm."
Gartner's Litan notes that consumers were not just at risk from the stolen payment card data. "Much more damage can result from stolen credentials than from stolen credit/debit cards, where users are protected under [some regulation] and by the rules of the credit card companies," she says. "This fact, too, likely led to a settlement, rather than continuing litigation, as Adobe likely wanted to keep those discussions out of the public records."
Executive Editor Tracy Kitten also contributed to this report.