Last week, Adobe revealed it was the victim of one of the largest data breaches in a decade. Cyber criminals stole the software giant's source code for Adobe Reader and the credit card information for almost 3 million users, which will expose its customers to identity theft and other targeted attacks. The Financial Times explains the ramifications of this cyber attack.
Let's explore this massive data breach from an IT insurance perspective. We'll look at what Adobe did wrong, what they’re doing right, and what cyber liabilities IT professionals have. (For more on protecting yourself from cyber risks, check out our page on Cyber Liability Insurance.)
Information Breach: How an Industry Leader Lost Its Source Code
Source code is the skeletal code for a computer program – the basic foundation that makes all other parts of a program work. Losing it to hackers is a big deal.
Now that cyber criminals have access to the Adobe Reader source code, they can find numerous holes in the software and exploit these weaknesses to hack into user computers. This is especially problematic because of how prevalent the software is.
If you open a PDF, there's a good chance you're using Adobe Reader. The software is on nearly every platform: smartphones, computers, tablets, e-readers, etc. Unless you’re using a Mac-supported program like Preview, you and your clients probably won't be able to avoid using it.
When hackers steal Adobe's source code, it exposes IT professionals to more liability. If you install Adobe Reader on a client computer, you could be sued, should hackers break into a client network through the software. Furthermore, this security hazard is now a known weakness, which means you’re responsible for planning around it.
How to Protect Data: Tips from Adobe's Data Breach
While Adobe certainly looks bad after the data breach, it did some things well to protect its users. Here's a breakdown of its response and what it can teach you about data privacy protection.
- Data encryption. Fortunately for Adobe its 2.9 million users, Adobe’s credit card information was encrypted. Hackers would have to break the encryption in order to access it – a process that is possible but difficult.
- Password reset. You may have gotten an email from Adobe telling you the company has reset your password. This precautionary move will make it harder for hackers to use stolen account information to access user accounts.
- Customer notification. Adobe has also notified consumers who may have had their credit card information stolen. In fact, this is required by law. State regulations require businesses to notify anyone whose private information (SSNs, DOBs, credit card information, etc.) has been stolen.
How to Protect Yourself
We've gone over how you can protect data and user accounts, but there's another question: how can IT professionals protect themselves from a data breach lawsuit? Here are a few tips:
- Know your legal requirements. In addition to notifying customers about data breaches, you may have other legal responsibilities. IT consultants who work with medical data will have to follow HIPAA regulations, which have strict requirements for data security. (For more on these regulations, read our post "HITECH: The Strictest Data Protection Law").
- Stay current. Being up-to-date on potential threats can save you thousands in legal expenses (one top blog for the latest threats is Krebs on Security, written by former Washington Post writer Brian Krebs). Inform your clients of any new threats and remind them to install updates as soon as they’re available.
- Invest in IT Insurance. Data security products and services can protect you from a hacker, but we all know some hackers will be one step ahead of security software. The best way to protect yourself is to purchase IT insurance, which can pay for lawsuits over professional mistakes, data breaches, and other liabilities. (For an explanation of cyber liability, read our article "Third Party vs. First Party Cyber Risk Insurance").