November 11, 2013 By Rick Robinson 2 min read

In October of this year, Adobe announced that their systems were hacked and attackers accessed Adobe customer IDs, encrypted passwords, and information relating to 2.9 million Adobe customers, including encrypted credit or debit card numbers.  Later that month, BBC reported that the number of accounts that was breached was much greater – 38 million!  This is in addition to the loss of source code to Photoshop, its popular photo editing software package.

When this happens, it is a very bad day.  No, it is a nightmare. No, it is 38 million nightmares! Their fortress of information protection has now been breached and 38 million data horses have run out of the barn.

Adobe is likely engaged in heavy damage control right now considering their obligations to their customers, stakeholders, and corporate responsibilities to maintain compliance with industry regulations such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare information, Sarbanes-Oxley (SOX) for financial information and Payment Card Industry Data Security Standard (PCI-DSS) for retail payment.

But there is a sliver of good news in their announcement.  It is in a single word:  encrypted.

Although data was taken from Adobe, some of it was encrypted.  Specifically, passwords as well as debit and credit card numbers were encrypted.  That, by itself, is reducing the magnitude of this nightmare.  There is still work that needs to be done, but by the fact that some of the data was encrypted means that only a portion of the data that was taken has any value to the perpetrators.  This is a strike against the perpetrators.

For Adobe, most regulations provide safe harbor from reconciling stolen customer data (especially credit or debit card information) with customers if it is encrypted – which it was.  Such safe harbor provisions lift the burden on companies when their data is breached.  The fact that much of the data that was stolen was encrypted is a saving grace for Adobe.

The tools of encryption and key management can (and should) be applied at numerous layers of business to protect, isolate, and control data.  The technology is well-know and standardized.  It is predictable and manageable and in no-way should be considered a scary technology that only the most advanced technical experts can understand and manage.

Cryptography for Business has three simple characteristics:

  1. It follows standards for encryption and key management
  2. It is easy to deploy and use
  3. It provides strong protection against data thieves

Sun Tzu, author of The Art of War, reminds us to know our enemies. Today’s enemies are data thieves working to steal your data for profit.  If they cannot steal your data and profit from it, they will look elsewhere.  Encrypted data represents an insurmountable challenge from which they cannot profit.  Such use of encryption to protect your data and keep it from being used by perpetrators is a prime example of using cryptography for business.

As you look across your enterprise, ask about the data you and your customers depend upon. Ask your team how it is being protected. Ask about cryptography for business – Is it standards-based? Is it easy? Is it providing protection?  If not, it should be.

When we look at events such as those that unfortunately happened to Adobe, we will look in detail at what went wrong… but too infrequently, we forget to ask about those things that went right.  In Adobe’s case, the answer that that question is simple:  they encrypted their data.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today