Adobe Pays Paltry $1 Million Fine Over Hack In 2013

Adobe is reportedly only paying $1 million over a lawsuit that has to deal with its data breach back in 2013 that put the payment records of around 38 million at risk.

According to Krebs on Security, the $1 million goes to settle a lawsuit by 15 attorney generals stemming from that data breach. Krebs on Security broke news of the hack back on Oct. 3, 2013. With that compromise, hackers were able to steal usernames, passwords and payment data on millions of customers. The hackers also stole source code of Adobe’s software, such as Adobe Acrobat, Adobe Reader, Photoshop and ColdFusion, according to the report.

Earlier this week, the 15 state attorney generals announced the $1 million settlement over the breach, which the AGs said contained personal information of around 552,000 residents of the 15 states that sued. According to Krebs on Security, the victims will walk away with a whopping $1.80. Massachusetts Attorney General Maura Healey said in a statement covered by Krebs on Security: “An investigation by the states revealed that, in Sept. 2013, Adobe received an alert that the hard drive for one of its application servers was nearing capacity. In responding to the alert, Adobe learned that an unauthorized attempt was being made to decrypt customer payment card numbers maintained on the server.”

Adobe discovered that one or more unauthorized intruder(s) had compromised a public-facing web server and used it to access other servers on Adobe’s network, including areas where Adobe stored consumer data,” the statement from Healey’s office went on to state. “The intruder(s) ultimately stole consumer data from Adobe’s servers, including encrypted payment card numbers and expiration dates, names, addresses, telephone numbers, email addresses, usernames (Adobe IDs) and passwords associated with the usernames.”

Meanwhile, North Carolina AG Roy Cooper said that, if the fine was designed to serve as a deterrent, it’s probably not going to do much. He argued the fine should be more commensurate with the actual size of the company and the number of people impacted by it.