Connecticut Attorney General George Jepsen has announced that a settlement has been reached for the 2013 Adobe Systems data breach that affected more than half a million individuals in 15 states.
The 2013 Adobe Systems data breach first came to light on September 17, 2013 when the company received an alert that one of its servers was approaching capacity. The response to that alert revealed that an unauthorized individual was attempting to decrypt customer payment card numbers on an application server. While Adobe managed to stop the decryption process and block access by shutting down the server, action was not taken in time to prevent the theft of customer data. Stolen data included names, addresses, telephone numbers, usernames and encrypted passwords, password hints in plain text, payment card expiration dates, and encrypted payment card numbers. In total, 534,000 individuals were impacted by the breach.
The Adobe investigation into the breach revealed the attackers had compromised a public-facing web server, which was then used to launch attacks on other servers connected to the Adobe network.
The Connecticut attorney general’s office lead the investigation into 2013 Adobe Systems data breach, but was joined by 14 other state attorneys general: Arkansas, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North Carolina, Ohio, Oregon, Pennsylvania, and Vermont.
The attorneys general investigation determined that Adobe Systems did not implement reasonable security measures to protect against cyberattacks, and neither were proper measures implemented to detect attacks promptly.
The technology firm will pay $1 million to resolve the issues discovered during the breach investigation, with the amount split between each of the 15 states that participated. As the lead state, the Connecticut attorney general’s office will decide how much each participating state will receive. The share paid to Connecticut will be $135,095.71.
The funds will cover attorneys’ fees from the investigation, with the remainder placed in consumer protection law enforcement funds, which will, in part, be used for future consumer protection and privacy enforcement and consumer education programs. The full and final settlement will release Adobe Systems from any future civil claims that could have been filed by state attorneys general under Consumer Protection and Personal Information Safeguards Statutes.
According to Jepsen, “Consumers should have a reasonable expectation that their personal and financial information is properly safeguarded from unauthorized access.” Jepsen also pointed out that “Adobe worked in good faith with my office and the states affected by this incident to better protect consumer information going forward, and for that it deserves some credit.”