It's news that no one—especially not a customer of a firm—wants to hear: a compromised network allowed intruders to reap a massive haul, starting with 2.9 million customer names. That would be bad enough by any standard, but it only gets worse.
The compromised network not only resulted in the leak of customer names, but also got a set of “other information relating to customer orders,” which includes encrypted debit and credit card data—numbers and expiration dates alike—and more besides. While Adobe isn't saying exactly when the breach actually hit—the most it would say is that the attacks were discovered “very recently”—it took several steps in response to said matter. Among these steps were the resetting of customer passwords and the e-mail notification of the users whose accounts were impacted by the changes.
Additionally, Adobe is notifying those whose credit card information was at risk, along with an offer of a free year's membership in a credit monitoring service. Adobe has further notified the banks that handle processing for Adobe for further help, and is working with federal authorities in terms of investigating the person or persons responsible.
Image via Shutterstock
Adobe also issued a public apology, and perhaps thankfully, doesn't believe that any decrypted credit card information was taken, rather only encrypted, so the chances of customers having issues is somewhat lessened by this news. But perhaps more frightening was the revelation that some of Adobe's source code was also taken, though Adobe doesn't believe that said source code will prove to be any more risk to its customers.
That's no small affair, though, and application security company Cenzic released a statement of its own surrounding the theft of said source code. The Cenzic statement noted that source code thefts don't happen often, but represents a loss on par with the “crown jewels” of the company. Given that Adobe products are regularly used across businesses worldwide, the potential impact is, as Cenzic's statement describes, “enormous.”
The statement continued: “Regardless of how sophisticated these attacks may seem, the end game of this breach once again illustrates how vulnerable the application layer remains today. The most sensitive data and customer information resides in the databases and the hacker is looking for that one open vulnerability in the application to get to the precious data. More applications moving to the Web, cloud, and mobile today further heightens the threat vector. Organizations must take a proactive approach towards enforcing tight security processes right from the code development phase and through the entire SDLC (Software Development Life Cycle). It is paramount for developers to do thorough security checks on the applications before they are pushed into production.”
Here, Cenzic shows quite clearly what's at stake, and more videos on this subject and others can be found here. More and more of our lives are going online, between cloud systems and more standard communications tools. Thus, the security of said applications becomes an important part of the larger overall environment, as not only do users need to protect individual devices, but also the larger network and beyond. While the importance of users taking the necessary steps to protect devices is as important as ever, so too do developers need to engage in security as well. While Adobe's response has been very encouraging, the need for vigilance is as clear now as it has ever been.
Edited by Alisen Downey