Reports are circulating today that a recent hack of Adobe and exfiltration of customer data was larger than thought – data about 38 million active users was compromised:
This raises some interesting questions:
- There is a fundamental risk to a subscription-based business model, which is what Adobe.com has moved to. If you want to charge your customers monthly, like a utility, to use your products or services, then necessarily you have their contact info, credit card numbers, etc. That makes for quite an attractive target for compromise!
- Clearly the data in question should be secured very carefully — encrypted, access controlled (e.g., using a privileged access management system, monitored, etc. Something in these controls clearly failed at Adobe.
This is a warning to customers to beware sharing CC and similar data with firms that have to retain the indefinitely. It is also a warning to firms that have such practices to be incredibly careful.
PCI-DSS includes lots of good guidelines about how to protect such data — I wonder which rules Adobe managed to not follow?