Adobe settles hacking case that affected 38 million people and pays $1.2m legal bill

[steven36]

Court documents have revealed that Adobe has paid an "undisclosed sum" to settle customer allegations of "shoddy security protocols" after a cyber attack in 2013 resulted in the loss of 38 million customer records.

The company has also been ordered to pay $1.2m in legal fees after the class action lawsuit by a number of affected consumers accused Adobe of having "subpar security systems".

Adobe admitted on 4 October 2013 to the loss of 2.9 million customer records including Adobe IDs, encrypted passwords and credit card information. However, that number had increased to 38 million by the end of October.

The hack, which was discovered by independent researchers, also resulted in the loss of source code for products including Acrobat, ColdFusion and ColdFusion Builder.

The ensuing lawsuit alleged that the loss of data violated the Customer Records Act and claimed declaratory relief and unfair business practices.

Lead plaintiff Christina Halpain sought damages for breach of contract, breach of faith, unfair competition and violation of the California Data Breach Act in November 2013.

"The massive breach did not come as a surprise to industry experts familiar with Adobe's security practices who warned that Adobe's shoddy security protocols and track record of previous breaches made it susceptible to a massive hack of the scope and depth that resulted," she said in the lawsuit.

"Adobe promises its users that it will provide 'reasonable administrative, technical, and physical security controls' to protect [personally identifiable information] and represents that it uses industry-leading security practices to do so, but Adobe's actual security practices are substandard in the industry."

Adobe faced additional claims in September 2014 that it violated its obligation to warn customers of apparently "subpar security systems".

US district judge Lucy Koh remarked at the time that the court was "not convinced" that Adobe's security problems were well publicised and that consumers should have been aware of the problems.

"It is one thing to have a poor reputation for security in general, but that does not mean that Adobe's specific security shortcomings were widely known," she said.

"Some of the stolen data has already surfaced on the internet, and other hackers have allegedly misused it to discover vulnerabilities in Adobe's products. Given this, the danger that plaintiffs' stolen data will be subject to misuse can plausibly be described as certainly impending."

The decision to settle the case and dismiss all related claims came in February this year after those involved signed a Memorandum of Understanding to bring the case to an end.

An Adobe representative told Courthouse News following the announcement that the company is "pleased to have this matter resolved".

V3 contacted Adobe for an additional comment but had received no reply at the time of publication.

Source