In October of this year, Adobe announced that their systems were hacked and attackers accessed Adobe customer IDs, encrypted passwords, and information relating to 2.9 million Adobe customers, including encrypted credit or debit card numbers.  Later that month, BBC reported that the number of accounts that was breached was much greater – 38 million!  This is in addition to the loss of source code to Photoshop, its popular photo editing software package.

When this happens, it is a very bad day.  No, it is a nightmare. No, it is 38 million nightmares! Their fortress of information protection has now been breached and 38 million data horses have run out of the barn.

Adobe is likely engaged in heavy damage control right now considering their obligations to their customers, stakeholders, and corporate responsibilities to maintain compliance with industry regulations such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare information, Sarbanes-Oxley (SOX) for financial information and Payment Card Industry Data Security Standard (PCI-DSS) for retail payment.

But there is a sliver of good news in their announcement.  It is in a single word:  encrypted.

Although data was taken from Adobe, some of it was encrypted.  Specifically, passwords as well as debit and credit card numbers were encrypted.  That, by itself, is reducing the magnitude of this nightmare.  There is still work that needs to be done, but by the fact that some of the data was encrypted means that only a portion of the data that was taken has any value to the perpetrators.  This is a strike against the perpetrators.

For Adobe, most regulations provide safe harbor from reconciling stolen customer data (especially credit or debit card information) with customers if it is encrypted – which it was.  Such safe harbor provisions lift the burden on companies when their data is breached.  The fact that much of the data that was stolen was encrypted is a saving grace for Adobe.

The tools of encryption and key management can (and should) be applied at numerous layers of business to protect, isolate, and control data.  The technology is well-know and standardized.  It is predictable and manageable and in no-way should be considered a scary technology that only the most advanced technical experts can understand and manage.

Cryptography for Business has three simple characteristics:

  1. It follows standards for encryption and key management
  2. It is easy to deploy and use
  3. It provides strong protection against data thieves

Sun Tzu, author of The Art of War, reminds us to know our enemies. Today’s enemies are data thieves working to steal your data for profit.  If they cannot steal your data and profit from it, they will look elsewhere.  Encrypted data represents an insurmountable challenge from which they cannot profit.  Such use of encryption to protect your data and keep it from being used by perpetrators is a prime example of using cryptography for business.

As you look across your enterprise, ask about the data you and your customers depend upon. Ask your team how it is being protected. Ask about cryptography for business – Is it standards-based? Is it easy? Is it providing protection?  If not, it should be.

When we look at events such as those that unfortunately happened to Adobe, we will look in detail at what went wrong… but too infrequently, we forget to ask about those things that went right.  In Adobe’s case, the answer that that question is simple:  they encrypted their data.

More from Data Protection

Cost of a data breach 2023: Pharmaceutical industry impacts

3 min read - Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023. The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of…

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Advanced analytics can help detect insider threats rapidly

2 min read - While external cyber threats capture headlines, the rise of insider threats from within an organization is a growing concern. In 2023, the average cost of a data breach caused by an insider reached $4.90 million, 9.6% higher than the global average data breach cost of $4.45 million. To effectively combat this danger, integrating advanced analytics into data security software has become a critical and proactive defense strategy. Understanding insider threats Insider threats come from users who abuse authorized access to…

One simple way to cut ransomware recovery costs in half

4 min read - Whichever way you look at the data, it is considerably cheaper to use backups to recover from a ransomware attack than to pay the ransom. The median recovery cost for those that use backups is half the cost incurred by those that paid the ransom, according to a recent study. Similarly, the mean recovery cost is almost $1 million lower for those that used backups. Despite this fact, the use of backups is actually falling. This was one of the…