AG Jepsen, Adobe Reach Agreement Resolving
Connecticut-Led Multistate Investigation into Unauthorized Access to Servers
Attorney General George Jepsen joined 14 other state attorneys general today in announcing a $1 million data breach settlement with the software and technology company Adobe Systems, Inc. The settlement resolves an investigation into the 2013 breach of certain Adobe servers, including servers containing the personal information of approximately 552,000 residents of the participating states.
Connecticut was the lead state in the investigation of the unauthorized server access. The states alleged that Adobe did not use reasonable security measures to protect its systems from an attack or have proper measures in place to immediately detect an attack. The agreement resolves consumer protection and privacy claims against the company and requires Adobe to implement new policies and practices to prevent future similar breaches.
The state's overall share of this settlement is $135,095.71. Of that, $25,000 will go to the Department of Consumer Protection's consumer privacy protection guaranty and enforcement account and the remaining amount will go to the state's General Fund.
"Consumers should have a reasonable expectation that their personal and financial information is properly safeguarded from unauthorized access," said Attorney General Jepsen. "Adobe worked in good faith with my office and the states affected by this incident to better protect consumer information going forward, and for that it deserves some credit. My office will continue to be diligent in protecting Connecticut consumers by strictly enforcing our privacy laws."
“Ensuring consumer privacy should be a top priority for all companies. I thank the Office of the Attorney General for diligently working to protect the personal and financial information of Adobe customers in Connecticut,” said Department of Consumer Protection Commissioner Jonathan Harris.
In September 2013, Adobe received an alert that the hard drive for one of its application servers was nearing capacity. In responding to the alert, Adobe learned that an unauthorized attempt was being made to decrypt encrypted customer payment card numbers maintained on the server.
Adobe stopped the decryption process, disconnected the server from the network, and found the attacker had compromised a public-facing Web server and used it to access other servers on Adobe’s network. The attacker ultimately stole encrypted payment card numbers and expiration dates, names, addresses, telephone numbers, e-mail addresses, and usernames as well as other data.
Joining Connecticut in the agreement are Arkansas, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North Carolina, Ohio, Oregon, Pennsylvania and Vermont.
Assistant Attorney General Michele Lucan of the Privacy and Data Security Department, and Assistant Attorney General Matthew Fitzsimmons, head of the Department, assisted the Attorney General with this matter.