Adobe has issued an important alert for all customers of Adobe. Adobe says they have issued a mass reset of user accounts but many people I’ve spoke with haven’t received a notification via email at this time. The customer alert contains the steps users should take to reset their password without waiting, and it’s strongly recommended that all users that have Adobe accounts do exactly that. The puzzling part about this notification is that Adobe indicates that they store encrypted credit or debit card numbers and expiration dates. This is an audit-failing practice that should not have been implemented and should have been addressed by Adobe as part of a routine PCI/DSS assessment.
Worst Practices
No vendor that uses credit card data is to store credit card numbers, regardless of them being encrypted. It is not needed by the merchant to store the numbers at all, because they are authorized by a payment processing company and the merchant can safely store a token that acts as a reference to a transaction only and does not decrypt into a valid credit card number. Adobe has several products and services that use the Adobe account information, one of which is Business Catalyst; and in the course of some searching I did find one particularly interesting discussion on their support website titled PCI Compliance where a customer is asking about this service in particular and an Adobe rep informs the customer that Business Catalyst is certified as PCI Level 11.
Without knowing more details about their required assessments to maintain that certification, it’s hard to say how they were able to pass an audit and simultaneously engage in this practice of storing credit card numbers. In the case of Business Catalyst, which is a content management service for vendors, it seems very unlikely that the Adobe account system would be out-of-scope for purposes of PCI/DSS. The method used to breach Adobe’s systems and gain access to this data are also important, as Adobe is also required to follow very stringent access controls over information like this. Over the next few days and weeks it seems likely that Adobe will have to further provide additional information At this point it seems very likely that Adobe will be assessed a very large fine in the aftermath of this breach, and can lose their ability to handle credit card payments with subsequent breaches. It’s a very serious issue for them that they will need to tackle sooner rather than later. Breach notification laws exist in 46 out of 50 states in the United States, and Adobe’s status as a publicly traded company means that even more details will have to be released to the SEC. While the consumer side of this incident is terrible enough, Adobe also has reportedly had the sourcecode to their entire product offering taken as well, which can be leveraged by people to write zero-day exploits against previously-unknown vulnerabilities in their software. This is arguably far more serious than millions of encrypted credit card numbers being stolen.
Possible Dangers
Considering that Adobe’s technology is so prevalent in web browsers (Adobe Flash) and in handling forms and documents (Adobe Acrobat) not to mention the dozens of other tools and applications in their portfolio — having access to vulnerabilities that have not yet been broadly discovered will enable malicious actors to tailor their attacks to exploits Adobe and vendors like Microsoft and Symantec aren’t even aware of. These are especially important in so-called “APT” (advanced persistent threat) attacks where an organization is specifically targeted. The next few days are going to involve a lot of nail-biting for Adobe, their customers, and end-users of their products.
Recommendations
- Change account credentials with Adobe immediately
- Make use of the credit monitoring service that Adobe will be providing you
- Monitor accounts more vigorously for fraudulent transactions
- Report incidents of identity theft to the Federal Trade Commission2
- Change your passwords for any website, service, or software that uses the same userID, email address, or password 3
- Weigh the inconvenience of canceling your cards used with Adobe now versus later should it be compromised. In most cases it’s best for you in terms of level of frustration to cancel and request new cards now rather than discovering unauthorized use later when you need to use your credit card and discover that you no longer have an available line of credit.
-
This means that Adobe handles more than 300,000 transactions annually. Level 2 vendors are anything less than that. ↩
-
Currently the FTC is closed following the Congressional Republican shutdown of the United States government. ↩
-
Stop doing this! You should never use the same pair of usernames and passwords for any reason! ↩