Adobe has reported a major security breach. According to the FAQ:
Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems.
We are also investigating the illegal access to source code of numerous Adobe products. Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident.
A few observations.
- If the criminals downloaded 2.9 million customer details with name, address and credit card details the risk of fraud is substantial. Encryption is good of course, but if you have a large body of encrypted information which you can attack at your leisure then it may well be cracked. Adobe has not told us how strong the encryption is.
- The FAQ is full of non-answers. Like, question: how did this happen? answer, Our investigation is still ongoing.
- Apparently if Adobe thinks your credit card details were stolen you will get a letter. That seems odd to me, unless Adobe is also contacting affected customers by email or telephone. Letters are slow and not all that reliable since people move regularly (though I suppose if the address on file is wrong then the credit card information may well be of little use.)
- Adobe says source code was stolen too. This intrigues me. What is the value of the source code? It might help a criminal crack the protection scheme, or find new ways to attack users with malicious PDF documents. A few people in the world might even be interested to see how certain features of say Photoshop are implemented in order to assist with coding a rival product, but finding that sort of buyer might be challenging.
- Is the vulnerability which enabled the breach now fixed? Another question not answered in the FAQ. Making major changes quickly to such a large system would be difficult, but it all depends what enabled the breach which we do not know.
- I’d like to see an option not to store credit card details, but to enter them afresh for each transaction. Hassle of course, and not so good for inertia marketing, but more secure.
Was this even an online breach?
Considering the scope of what was taken, it sounds a lot like an internal job as surely you shouldn’t be able to access that much information from outside their private network?
I was under the impression that reputable companies that keep credit card details on file have them on servers with limited access. Where you can write new details but not retrieve the currently stored details (except perhaps the last 4 digits) so that this sort of breach is impossible.
Most of the sites I visit with my credit card implement Verified by Visa. Agreed, this is a bit like bolting the stable door once someone has stolen the credit card details, but an extra layer of security like this is preferable to having to enter your card details over and over again.