In October of this year, Adobe announced that their systems were hacked and attackers accessed Adobe customer IDs, encrypted passwords, and information relating to 2.9 million Adobe customers, including encrypted credit or debit card numbers. Later that month, BBC reported that the number of accounts that was breached was much greater – 38 million! This is in addition to the loss of source code to Photoshop, its popular photo editing software package.
When this happens, it is a very bad day. No, it is a nightmare. No, it is 38 million nightmares! Their fortress of information protection has now been breached and 38 million data horses have run out of the barn.
Adobe is likely engaged in heavy damage control right now considering their obligations to their customers, stakeholders, and corporate responsibilities to maintain compliance with industry regulations such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare information, Sarbanes-Oxley (SOX) for financial information and Payment Card Industry Data Security Standard (PCI-DSS) for retail payment.
But there is a sliver of good news in their announcement. It is in a single word: encrypted.
Although data was taken from Adobe, some of it was encrypted. Specifically, passwords as well as debit and credit card numbers were encrypted. That, by itself, is reducing the magnitude of this nightmare. There is still work that needs to be done, but by the fact that some of the data was encrypted means that only a portion of the data that was taken has any value to the perpetrators. This is a strike against the perpetrators.
For Adobe, most regulations provide safe harbor from reconciling stolen customer data (especially credit or debit card information) with customers if it is encrypted – which it was. Such safe harbor provisions lift the burden on companies when their data is breached. The fact that much of the data that was stolen was encrypted is a saving grace for Adobe.
The tools of encryption and key management can (and should) be applied at numerous layers of business to protect, isolate, and control data. The technology is well-know and standardized. It is predictable and manageable and in no-way should be considered a scary technology that only the most advanced technical experts can understand and manage.
Cryptography for Business has three simple characteristics:
- It follows standards for encryption and key management
- It is easy to deploy and use
- It provides strong protection against data thieves
Sun Tzu, author of The Art of War, reminds us to know our enemies. Today’s enemies are data thieves working to steal your data for profit. If they cannot steal your data and profit from it, they will look elsewhere. Encrypted data represents an insurmountable challenge from which they cannot profit. Such use of encryption to protect your data and keep it from being used by perpetrators is a prime example of using cryptography for business.
As you look across your enterprise, ask about the data you and your customers depend upon. Ask your team how it is being protected. Ask about cryptography for business – Is it standards-based? Is it easy? Is it providing protection? If not, it should be.
When we look at events such as those that unfortunately happened to Adobe, we will look in detail at what went wrong… but too infrequently, we forget to ask about those things that went right. In Adobe’s case, the answer that that question is simple: they encrypted their data.
Product Manager, Encryption and Key Management
Rick Robinson comes from a diverse background of architecture, development, and deployment of new products and services that employ cryptography in one form ...