Adobe Systems has now been fined $1 million for the data breach that occurred in 2013.
Initially, it was believed that 38 million accounts were breached, but the total was then decreased to around half a million.
That’s still a heck of a lot of breaches though!
Nature of the breach
The software maker believed that usernames and encrypted passwords were stolen from its active users. The hack gave unauthorised access to usernames, passwords, addresses, telephone numbers, email addresses, payment card information, and expiration dates of active as well as inactive users.
Adobe’s (in)action
This raised alarm bells in my head – why did Adobe not erase the inactive accounts? This could’ve minimised the number drastically. It was argued that Adobe didn’t do enough to prevent the hack of thousands of companies because their security system was lax.
Their failure to have adequate security systems and procedures in place in the event of a breach has landed the software maker with a whopping $1 million fine. It’s alleged that Adobe didn’t have reasonable security measures in place to protect its systems from a cyber-attack, and didn’t have proper procedures in place to immediately detect an attack.
Laws and regulations
Under some American laws, companies and government agencies are required to give customers notification if their personal financial information may have been compromised by a security breach. Reporting is seen as good practice, and since the law was enforced in 2005, there has apparently been 3,700 reports of security breaches.
U.K. companies don’t always have the legal burden to report security breaches, but it’s deemed good practice if you do so. This will no doubt earn brownie points with customers and data protection regulators, if you’re seen to be reporting a breach. I’m sure customers appreciate honesty and transparency when they’re dealing with a company.
This may all change in 2018 when the EU General Data Protection Regulation comes into force, and companies may have to disclose their security breaches.
Warning bells
This should send out warning bells to companies and organisation who don’t have adequate cyber-security protection. It might be a relief for some companies to hear that the Information Commissioner’s Office’s (ICO) fine is capped at £500,000 in the U.K. – however this will all change when the EU General Data Protection Regulation comes into force in 2018. Fines and penalties should be the least of a company’s worries; instead, they should focus on the security of their customers’ personal data.
Sources:
http://www.theinquirer.net/inquirer/news/2477489/adobe-to-pay-usd1m-over-2013-security-data-breach