Out-Law / Your Daily Need-To-Know

Adobe investigating source code theft and data breach affecting nearly three million customers

Out-Law News | 07 Oct 2013 | 1:48 pm | 1 min. read

The personal details of 2.9 million customers, as well as source code for "numerous" software products, were illegally accessed when hackers broke into Adobe's systems, the company has said.

The global software giant said that it had become an increasing target for cyber attacks. It said it had identified that its network had been breached in an incident which saw the hackers gain access to Adobe customer log-in details and encrypted credit and debit card data, among other information.

"Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems," Brad Arkin, chief security officer at Adobe, said in a customer security announcement. "We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders."

"At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident," he said.

Adobe urged customers to rest their passwords and said it had written to those whose credit or debit card information may have been stolen. Customers affected will be offered advice on how to protect themselves against the "potential misuse" of their personal information and will also be given the option to utilise free credit monitoring services. Adobe said that it had informed the banks that process its customer payments about the incident and that they would liaise with payment card companies and the card-issuing banks to "help protect customers' accounts".

Arkin said that the company was also investigating what it believes is a "related" attack which saw hackers gain unauthorised access to source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products.

"Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident," Arkin said in a separate blog post. "We are not aware of any zero-day exploits targeting any Adobe products. However, as always, we recommend customers run only supported versions of the software, apply all available security updates, and follow the advice in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide. These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products."

Adobe will "work aggressively to prevent these types of events from occurring in the future", Arkin added.

"It should go without saying that no software company ever wants to have criminals steal its source code – it is, after all, the technology company equivalent of losing the Crown Jewels," information security analyst Graham Cluley said on his website.