Adobe has been fined £800,000 by the US courts system over a security breach in 2013 which saw the personal details of around 154 million of its users leaked.
The security breach against Adobe's network in October 2013 was a serious one: initially Adobe reported the loss of three million customers' personal details
, including customer IDs, passwords, and payment card details, along with the source code to various Adobe products. A day later the company revised its report to admit that 38 million user accounts had been leaked
, a number it was forced to then revise again when the attackers or someone close to the attackers publicly published the list of 153 million accounts that had actually been leaked. Adobe also retracted claims that the data stolen had been protected, with a weak Triple-DES (3DES) encryption cipher having been used to 'protect' passwords instead of a more robust and industry-standard one-way hashing algorithm and the hints for said passwords - in many cases being simply a copy of the password itself - having been stored in plain text.
Now, the Attorneys General for Arkansas, Connecticut, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North Carolina, Ohio, Oregon, Pennsylvania, and Vermont have jointly found the company guilty of failing to take 'reasonable security measure to protect its systems and [customers'] personal information on them from an attack that originated at the public-facing server.
Accordingly, the courts have issued a $1 million (approximately £800,000) fine against Adobe, and required it to undertake an agreement to shore up its systems including the promise that payment details will never again be stored on a public-facing system, that all payment card numbers processed are protected via tokens, and that all employees are trained in security policies. To prove it is complying, the company will be required to provide a report to each of the 15 states, the ruling has found.
The fine follows the out-of-court settlement of a class action suit brought by victims of the breach, which was closed for an undisclosed sum.