Adobe Settles Claims for Massive Data Breach

     (CN) – Adobe is on the hook for $1.1 million in legal fees – and an undisclosed sum to users – amid class allegations that its “shoddy security protocols” led to a massive data breach.
     Hackers stole credit card and login data from 38 million people in October 2013 because of Adobe’s lax practices, the class claimed, a fiasco that was 13 times larger than the company initially reported.
     “The massive breach did not come as a surprise to industry experts familiar with Adobe’s security practices who warned that Adobe’s shoddy security protocols and track record of previous breaches made it susceptible to massive hack of the scope and depth that resulted,” lead plaintiff Christian Halpain said in the complaint.
     Adobe announced the security breach on Oct. 3, 2013, and said hackers had stolen 3 million credit and debit card records and login data from an undetermined number of users.
     The San Jose-based tech giant later acknowledged that about 38 million users had been affected.
     “Adobe promises its users that it will provide ‘reasonable administrative, technical, and physical security controls’ to protect their personally identifiable information and represents that it uses industry-leading security practices to do so, but Adobe’s actual security practices are substandard in the industry and continue to result in breaches of Adobe’s networks and software,” the lawsuit, filed in Northern California, stated.
     In September 2014, U.S. District Judge Lucy Koh rejected Adobe’s request to dismiss the action, which included claims for violating the Customer Records Act, declaratory relief and unfair business practices.
     Adobe argued that the plaintiffs lacked standing because they could not show an actual injury.
     Koh, who agreed that users could not show the company failed to notify them of the breach in a reasonable amount of time, found users’ costs of dealing with the data breach and the threat of future harm very real.
     “There is no need to speculate as to whether the hackers intend to misuse the personal information stolen in the 2013 data breach or whether they will be able to do so,” Koh wrote. “Not only did the hackers deliberately target Adobe’s servers, but plaintiffs allege that the hackers used Adobe’s own systems to decrypt customer credit card numbers. Some of the stolen data has already surfaced on the Internet, and other hackers have allegedly misused it to discover vulnerabilities in Adobe’s products.
     “Given this, the danger that plaintiffs’ stolen data will be subject to misuse can plausibly be described as ‘certainly impending.’ Indeed, the threatened injury here could be more imminent only if plaintiffs could allege that their stolen personal information had already been misused. However, to require plaintiffs to wait until they actually suffer identity theft or credit card fraud in order to have standing would run counter to the well-established principle that harm need not have already occurred or be ‘literally certain’ in order to constitute injury-in-fact.”
     Adobe violated its obligation to warn customers of apparently subpar security systems, Koh added, though the company claimed its problems were well publicized and that consumers should have been aware of the issues as a result.
     “It is one thing to have a poor reputation for security in general, but that does not mean that Adobe’s specific security shortcomings were widely known,” Koh wrote. “None of the press reports Adobe identifies discusses any specific security deficiencies, and plaintiffs expressly allege that the extent of Adobe’s security shortcomings were revealed only after the 2013 data breach. Given that prior reports of Adobe’s security problems were highly generic, the court cannot say that Adobe did not have exclusive knowledge of its failure to implement industry-standard security measures.”
     On Thursday, Koh granted a voluntary dismissal of the claims per an undisclosed settlement between the parties.
     Adobe also agreed to pay $1.1 million in attorneys’ fees and expenses. Class counsel worked an estimated 2,539 hours on the litigation, according to the ruling.
     Interim lead class counsel Eric Gibbs with Girard Gibbs LLP of San Francisco did not immediately respond to a request for comment.
     An Adobe representative said the company is “pleased to have this matter resolved.”

%d bloggers like this: