Adobe web portal exposes educational software users
Technorati Tag: Security Breach
Date Reported:
5/1/08
Organization:
Adobe Systems Incorporated
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
Unknown
Types of Data:
Name, address, home and/or cellular phone number, email address, date of birth, school name, partial or full credit card number, credit card expiration data, credit card security code, partial or full bank account number, partial or full Social Security number, school identification card, driver's license number, government identification, military identification number, and a copy of a signature.
Breach Description:
"It appears that certain personal information was stored on a server accessed via an Adobe website portal at a time when the server did not contain security or authentication procedures. The server was created to allow customers to upload information in order to enable Adobe to validate a customer's qualification to purchase certain education software."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
We are writing to inform you of a recent incident possibly involving the unauthorized exposure of your personal information.
The information was stored on a server accessed via an Adobe website portal at a time when the server did not contain Adobe's standard security or authentication procedures.
The information was stored in relation to status verification for your recent purchase of Adobe education version software.
Based on our investigation to date, we believe some combination of the following information may have been exposed for the customers we are notifying: name, address, home and/or cellular phone number, email address, date of birth, school name, partial or full credit card number, credit card expiration data, credit card security code, partial or full bank account number, partial or full Social Security number, school identification card, driver's license number, government identification, military identification number, and a copy of a signature.
[Evan] Holy moly! How much information did Adobe request from people? The purpose of collecting the information was "status verification", which I assume means making sure that you are allowed to use education version software at a significantly reduced price. No urine samples, blood samples, etc.?
We have no reason to believe that any personally identifiable information was potentially exposed except the information contained in the images that you uploaded to Adobe.
[Evan] Huh?
We apologize for this incident and sincerely regret any inconvenience that these events and responding to this notice may cause you.
Please note that Adobe has no indication that any unauthorized individual has accessed, has used, or is using you personal information; we bring this incident to you attention, however, so that you can be alerted to signs of possible misuse of your personal information should it occur.
Immediately after Adobe learned of this incident, we secured the server and removed the feature in the website portal allowing customer access in order to prevent unauthorized access to the information.
Additionally, we began an investigation to determine which files, if any, we exposed.
Our investigation revealed that files containing the above information were not properly secured, and could have been accessed by unauthorized third parties via the Internet.
Adobe is providing a year of free credit monitoring
Please rest assured that Adobe takes data security very seriously and we have already taken steps to minimize any risk from this incident and any future incidents.
Commentary:
It seems like Adobe is/was collecting much more information than was necessary to verify that a claimed educational user is/was in fact an educational user. Adobe has a very significant web presence. I am pretty sure they employ some very talented (and well trained) web developers, a robust change control process (including segregated dev and prod environments), and a talented information security crew. How did this slip through the cracks? I also wonder how Adobe became aware of the exposure?
Past Breaches:
Unknown
Date Reported:5/1/08
Organization:
Adobe Systems Incorporated
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
Unknown
Types of Data:
Name, address, home and/or cellular phone number, email address, date of birth, school name, partial or full credit card number, credit card expiration data, credit card security code, partial or full bank account number, partial or full Social Security number, school identification card, driver's license number, government identification, military identification number, and a copy of a signature.
Breach Description:
"It appears that certain personal information was stored on a server accessed via an Adobe website portal at a time when the server did not contain security or authentication procedures. The server was created to allow customers to upload information in order to enable Adobe to validate a customer's qualification to purchase certain education software."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
We are writing to inform you of a recent incident possibly involving the unauthorized exposure of your personal information.
The information was stored on a server accessed via an Adobe website portal at a time when the server did not contain Adobe's standard security or authentication procedures.
The information was stored in relation to status verification for your recent purchase of Adobe education version software.
Based on our investigation to date, we believe some combination of the following information may have been exposed for the customers we are notifying: name, address, home and/or cellular phone number, email address, date of birth, school name, partial or full credit card number, credit card expiration data, credit card security code, partial or full bank account number, partial or full Social Security number, school identification card, driver's license number, government identification, military identification number, and a copy of a signature.
[Evan] Holy moly! How much information did Adobe request from people? The purpose of collecting the information was "status verification", which I assume means making sure that you are allowed to use education version software at a significantly reduced price. No urine samples, blood samples, etc.?
We have no reason to believe that any personally identifiable information was potentially exposed except the information contained in the images that you uploaded to Adobe.
[Evan] Huh?
We apologize for this incident and sincerely regret any inconvenience that these events and responding to this notice may cause you.
Please note that Adobe has no indication that any unauthorized individual has accessed, has used, or is using you personal information; we bring this incident to you attention, however, so that you can be alerted to signs of possible misuse of your personal information should it occur.
Immediately after Adobe learned of this incident, we secured the server and removed the feature in the website portal allowing customer access in order to prevent unauthorized access to the information.
Additionally, we began an investigation to determine which files, if any, we exposed.
Our investigation revealed that files containing the above information were not properly secured, and could have been accessed by unauthorized third parties via the Internet.
Adobe is providing a year of free credit monitoring
Please rest assured that Adobe takes data security very seriously and we have already taken steps to minimize any risk from this incident and any future incidents.
Commentary:
It seems like Adobe is/was collecting much more information than was necessary to verify that a claimed educational user is/was in fact an educational user. Adobe has a very significant web presence. I am pretty sure they employ some very talented (and well trained) web developers, a robust change control process (including segregated dev and prod environments), and a talented information security crew. How did this slip through the cracks? I also wonder how Adobe became aware of the exposure?
Past Breaches:
Unknown
Posts Atom 1.0
Comments