Adobe Plans to Settle Breach Lawsuit

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/adobe-plans-to-settle-breach-lawsuit-a-8174

Adobe Systems is moving to settle a class-action lawsuit that was filed in
the wake of a series of data breaches it first disclosed in October 2013.
The breaches reportedly led to the compromise of more than 38 million
customer accounts, including details relating to an estimated 3 million
payment cards.

Adobe signed a memorandum in February 2015, agreeing to settle the lawsuit
in return for all related claims being dismissed. U.S. District Court Judge
Lucy H. Koh, who's presiding over the settlement agreement, then gave both
sides until April 30 to hammer out an agreement and submit it to her for
preliminary approval.

But the plaintiffs in the class-action lawsuit, in an April 22 joint
settlement status report - agreed to by Adobe Systems - said that "while
the parties have made significant progress with respect to the formal
settlement agreement ... finalizing the formal settlement agreement has
been more difficult and time consuming than they initially anticipated."
Accordingly, both sides requested more time.

Koh has granted that request, and ordered that the deadline for the
settlement agreement be moved to June 10.

Analysis: Why Settle?

News of the continuing settlement discussion follows the March announcement
that a judge has granted preliminary approval to a $10 million settlement
agreement between Target and consumers who were affected by its massive
2013 data breach.

Security experts say Adobe is likely pursuing a similar course of action,
and settling in part to avoid having to defend the security defenses in
which it chose - or chose not - to invest. "The [Adobe] case would have
come under heavy public scrutiny being heard in Judge Koh's court, and if
the settlement is anywhere near as lightweight as that paid by Target it
will be a small price to pay for avoiding the spotlight," Al Pascual,
director of fraud and security for Javelin Strategy & Research, tells
Information Security Media Group. "These cases could very well be the start
of a trend."

But the Adobe breach also differs from the Target breach in important ways,
Avivah Litan, a vice president at Gartner Research, tells ISMG. "I think
Adobe had much more pressure on them than a breached retailer has had," she
says. "Their software is used by virtually every PC user, and
vulnerabilities in their software have been a major attack vector for
criminals in the past. This, combined with the fact that Adobe claimed [to
have] strong information security practices, made it more likely that they
would settle rather than let this case go to court."

Multiple Attacks

Attackers first gained unauthorized access to Adobe's servers in July 2013,
and breached the databases containing personal information in August 2013,
according to an order written by Koh. But the intrusion was not discovered
until September 2013, which was "when independent security researchers
discovered stolen Adobe source code on the Internet."

Adobe had initially reported that an attack against it had compromised 2.9
million customers' accounts (see Adobe Breach Affects 2.9 Million), before
revising that figure to 38 million. At the time, Brad Arkin, chief security
officer at Adobe, said it was part of a series of attacks, including an
intrusion that compromised "source code for numerous Adobe products,"
including Adobe Acrobat, ColdFusion, and ColdFusion Builder. Arkin said the
company believed that the different attacks were related.

At the time, Adobe notified all affected customers, reset the passwords for
affected accounts, and offered a year of prepaid identify theft monitoring
services for anyone whose card details were exposed.

Adobe Security: Inadequate?

Following the breach, a class-action lawsuit filed in November 2013 alleged
in part that Adobe had under-invested in information security - vis-à-vis
its competitors - and thus violated its own privacy policy, which promised
that Adobe would "provide reasonable administrative, technical, and
physical security controls to protect your information." They also said
that these security deficiencies were not known, and thus that Adobe had
mislead customers about the efficacy of its security practices.

Adobe fought the class-action lawsuit and requested that it be dismissed,
arguing in part that while it had security deficiencies, these had been
widely reported in the press, and thus customers should have known about
them.

But in September 2014, Koh dismissed that argument and ordered the lawsuit
to proceed, noting in her order that the affected customers faced the
immediate threat of "sustaining some direct injury" as well as "real and
immediate harm."

Gartner's Litan notes that consumers were not just at risk from the stolen
payment card data. "Much more damage can result from stolen credentials
than from stolen credit/debit cards, where users are protected under [some
regulation] and by the rules of the credit card companies," she says. "This
fact, too, likely led to a settlement, rather than continuing litigation,
as Adobe likely wanted to keep those discussions out of the public records."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!