[BreachExchange] Connecticut, other states, reach $1 million settlement with Adobe Systems

[Audrey McNeil]

http://wtnh.com/2016/11/10/connecticut-other-states-
reach-1-million-settlement-with-adobe-systems/

Connecticut Attorney General George Jepsen joined 14 other state attorneys
general today in announcing a $1 million data breach settlement with the
software and technology company Adobe Systems, Inc.   The settlement
resolves an investigation into the 2013 breach of certain Adobe servers,
including servers containing the personal information of approximately
552,000 residents of the participating states.

Connecticut was the lead state in the investigation of the unauthorized
server access. The states alleged that Adobe did not use reasonable
security measures to protect its systems from an attack or have proper
measures in place to immediately detect an attack. The agreement resolves
consumer protection and privacy claims against the company and requires
Adobe to implement new policies and practices to prevent future similar
breaches.

The state’s overall share of this settlement is $135,095.71. Of that,
$25,000 will go to the Department of Consumer Protection’s consumer privacy
protection guaranty and enforcement account and the remaining amount will
go to the state’s General Fund.

“Consumers should have a reasonable expectation that their personal and
financial information is properly safeguarded from unauthorized access,”
said Attorney General Jepsen. “Adobe worked in good faith with my office
and the states affected by this incident to better protect consumer
information going forward, and for that it deserves some credit.  My office
will continue to be diligent in protecting Connecticut consumers by
strictly enforcing our privacy laws.”

In September 2013, Adobe received an alert that the hard drive for one of
its application servers was nearing capacity.  In responding to the alert,
Adobe learned that an unauthorized attempt was being made to decrypt
encrypted customer payment card numbers maintained on the server.

Adobe stopped the decryption process, disconnected the server from the
network, and found the attacker had compromised a public-facing Web server
and used it to access other servers on Adobe’s network. The attacker
ultimately stole encrypted payment card numbers and expiration dates,
names, addresses, telephone numbers, e-mail addresses, and usernames as
well as other data.

Joining Connecticut in the agreement are Arkansas, Illinois, Indiana,
Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North
Carolina, Ohio, Oregon, Pennsylvania and Vermont.

Assistant Attorney General Michele Lucan of the Privacy and Data Security
Department, and Assistant Attorney General Matthew Fitzsimmons, head of the
Department, assisted the Attorney General with this matter.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161110/7359b59b/attachment.html>