A Report on 2013 Adobe Data Breach

1. Brief Background
2. Likely incident causes
3. Short-term and long-term impacts of the incident
4. Suggested prevention actions and associated solutions
1. Brief Background
Adobe data breach in 2013
--one of the biggest incidents of the 21st century.

◺ From 2011 to 2013, Adobe shifted from selling desktop licenses to cloud-
based service. Moving to cloud creates vulnerabilities to Adobe’s data
security.
- - technical &
organizational blind spots.

◺ In 2013, attackers leveraged security vulnerabilities and illegally accessed a

customer database containing email addresses, payment data, customer
names, password, and physical addresses. Over 38 million global users were
impacted.

3
Adobe data breach in 2013
Timeline
◺ Hackers accessed a source code repository sometime in mid-August 2013

◺ Adobe noticed breach and decommissioned the compromised database server at 17 th of

Sep 2013.

◺ Adobe utilised a two-factor authentication for data and conducted vulnerability scanning
at the end of the Sep in 2013.

◺ 2013, Oct,3: Adobe first confirmed that 2.9 million customers have had private information
stolen. \cite{}

◺ 2013, Oct,29 : Adobe completed resetting the passwords for all Adobe IDs involved.

◺ 2013, Oct,30: Adobe increased the number of attacked account to 38 million. \cite{}

◺ At 30th of June 2015, Adobe engaged an independent auditor to certify that it has
implemented the remediation work required by the government.

◺ 2018: The company was still dealing with the cleanup and announced a new Experience
Cloud feature that makes security more important. 4
2. Likely incident causes
Technical Issues

Poor security practices by the time of the breach:

⮚ Many Adobe backup server networks run outdated versions

of the software, leaving them vulnerable to compromise.

⮚ Poorly-encrypted passwords: Adobe used the same encryption

key for all passwords.

6
Organizational Blind Spots
⮚ Outdated organization structure
Different departments were working
separately. (the product engineering was
totally separate
from IT security)
--Lack of communication
--Some overlooking of responsibility during
technical operations

⮚ Internal data leak from malicious insiders

--espionage for financial reward or employee
grievances
7
3. Short-term and long-term impacts of the
incident
Short-term impact
● Database Security
○ Leak of users’ information
○ Leak of source code for Adobe Photoshop
○ The database is no longer safe. (Be attacked again if
nothing change)

● Complains and Bad news

○ Large amount of users will complain the company
○ Social media impacts and Negative news increase
Need more budget to solve cyber security
problem and more documents work to handle
society and media
9
Short-term impact
● Economic losses
○ Stock fall
○ Compensation
○ Fine from government

● Legal Action
○ Facing legal liability

Data breach brings high economic losses.

Sometimes, it is a huge blow to the company!
10
Long-term impact
● Damage to company’s reputation
○ Poisoned search results on corporate brand
○ Loss of customers
■ Impacts the future selling

● Less attractive to new employees

○ Employee turnover (Especially at the executive level)
○ Difficult in finding new employees with high IT and
security skills

● Loss of core competitive advantage

○ Loss of source codes may cause the leakage of core
technology
11
4. Suggested prevention actions
& Associated solutions to impact
 Prevention Action
● Firewall setup and the network architecture

○ The firewall monitors the flow of traffic

○ The installation of anti-malware programs

● Using intrusion detection system (IDS)

○ monitors both the hardware and software systems

○ identify any case of illegal attempt

13
Prevention Action
● Regular inspection and maintenance

○ Set up a monitor group to do regular inspection

○ Schedule regular system maintenance

● Strengthen user access management

○ Teach the user how to maintain high-level security

○ adopt proper user training measures

14
 Response
● Towards User
○ Notify customers and business
○ Give Apology and compensation to users who were
influenced

● Towards Public
○ Hire external auditors to do a full investigation
○ Call a press conference

15
 Response
● Towards Government
○ Pay the fine against the agreement
○ Consult with legal counsel

● Towards the internal organization

○ Settle multistate data breach enforcement action.
1. Nominate a Chief security officer(CSO)
2. Hire skilled experts to fix data leakage
3. introduce proper data storage systems

16
References
‘5 Damaging Consequences of A Data Breach’, METACOMPLIANCE MARKETING TEAM,
25/2/2020 https://www.metacompliance.com/blog/5-damaging-consequences-of-a-data-breach/

‘What is the cost of a data breach’, Dan Swinhoe, 13/8/2020

https://www.csoonline.com/article/3434601/what-is-the-cost-of-a-data-breach.html

‘6 Potential Long-Term Impacts of a Data Breach’, Sue Poremba, 5/11/2021

https://securityintelligence.com/articles/long-term-impacts-security-breach/

‘Adobe’s CSO talks security, the 2013 breach, and how he sets priorities’, Terena Bell, 12/4/2018
https://www.csoonline.com/article/3268035/adobe-s-cso-talks-security-the-2013-breach-and-how-he-sets-priorities.html

‘Single block cipher on backup system allowed customer detail access in Adobe breach: OAIC’, Chris Duckett, 9/7/2015
https://www.zdnet.com/article/backup-system-with-single-block-cipher-cause-of-adobe-2013-hack-oaic/

‘Adobe To Announce Source Code, Customer Data Breach’, Brian Krebs, 3/10/2013
https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/

‘Adobe pays US$1.2M plus settlements to end 2013 breach class action’, Darren Pauli, 17/8/2015
https://www.theregister.com/2015/08/17/adobe_settles_claims_for_data_breach/

17