The firm will also implement security measures to prevent further breaches and will review policies twice per year.
Adobe has received a fine of $1 million for a data breach that occurred in 2013 and which exposed millions of users, as a hacker managed to infiltrate in a server where the company stored encrypted payment card numbers and expiration dates, names, addresses, telephone numbers, e-mail addresses, usernames, and passwords.
The security breach happened in 2013 when an attacker broke into Adobe’s own network and accessed systems where the company was storing customer data.
At that time, Adobe sent notifications to more than 3.1 million users whose credit card information was stolen, but also to more than 33 million users whose passwords were compromised.
After a thorough investigation, 15 state Attorneys General ruled that Adobe failed to properly protect customers and fined the company $1 million, while also requiring new security systems that would help prevent similar breaches in the future.
In motivating their decision, the American states explained that Adobe not only failed to implement security systems to protect user information but also failed to immediately detect an attack and thus reduce damages.
Adobe forced to implement new security systems
Arkansas, Connecticut, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North Carolina, Ohio, Oregon, Pennsylvania and Vermont are the states that started the investigation against Adobe, as a total of 500,000 users living in these locations were affected by the hack.
“Consumers who entrust a company with their personal data should have that trust respected,” Massachusetts Attorney General Maura Healey said in a statement. “Adobe put consumers’ personal data at risk of being compromised by a data breach, and that is unacceptable. This settlement will put in place important new practices to ensure that a breach like this does not happen again.”
According to the assurance of voluntary compliance, Adobe will have to review twice per year its internal security policies and improve them where necessary in order to make sure that no other hacks can happen in the future. The states also required the firm to implement additional security measures to protect critical user information, such as credit card data.