In October of this year, Adobe announced that their systems were hacked and attackers accessed Adobe customer IDs, encrypted passwords, and information relating to 2.9 million Adobe customers, including encrypted credit or debit card numbers.  Later that month, BBC reported that the number of accounts that was breached was much greater – 38 million!  This is in addition to the loss of source code to Photoshop, its popular photo editing software package.

When this happens, it is a very bad day.  No, it is a nightmare. No, it is 38 million nightmares! Their fortress of information protection has now been breached and 38 million data horses have run out of the barn.

Adobe is likely engaged in heavy damage control right now considering their obligations to their customers, stakeholders, and corporate responsibilities to maintain compliance with industry regulations such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare information, Sarbanes-Oxley (SOX) for financial information and Payment Card Industry Data Security Standard (PCI-DSS) for retail payment.

But there is a sliver of good news in their announcement.  It is in a single word:  encrypted.

Although data was taken from Adobe, some of it was encrypted.  Specifically, passwords as well as debit and credit card numbers were encrypted.  That, by itself, is reducing the magnitude of this nightmare.  There is still work that needs to be done, but by the fact that some of the data was encrypted means that only a portion of the data that was taken has any value to the perpetrators.  This is a strike against the perpetrators.

For Adobe, most regulations provide safe harbor from reconciling stolen customer data (especially credit or debit card information) with customers if it is encrypted – which it was.  Such safe harbor provisions lift the burden on companies when their data is breached.  The fact that much of the data that was stolen was encrypted is a saving grace for Adobe.

The tools of encryption and key management can (and should) be applied at numerous layers of business to protect, isolate, and control data.  The technology is well-know and standardized.  It is predictable and manageable and in no-way should be considered a scary technology that only the most advanced technical experts can understand and manage.

Cryptography for Business has three simple characteristics:

  1. It follows standards for encryption and key management
  2. It is easy to deploy and use
  3. It provides strong protection against data thieves

Sun Tzu, author of The Art of War, reminds us to know our enemies. Today’s enemies are data thieves working to steal your data for profit.  If they cannot steal your data and profit from it, they will look elsewhere.  Encrypted data represents an insurmountable challenge from which they cannot profit.  Such use of encryption to protect your data and keep it from being used by perpetrators is a prime example of using cryptography for business.

As you look across your enterprise, ask about the data you and your customers depend upon. Ask your team how it is being protected. Ask about cryptography for business – Is it standards-based? Is it easy? Is it providing protection?  If not, it should be.

When we look at events such as those that unfortunately happened to Adobe, we will look in detail at what went wrong… but too infrequently, we forget to ask about those things that went right.  In Adobe’s case, the answer that that question is simple:  they encrypted their data.

More from Data Protection

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…

The Digital World is Changing Fast: Data Discovery Can Help

The rise in digital technology is creating opportunities for individuals and organizations to achieve unprecedented success. It’s also creating new challenges, particularly in protecting sensitive personal and financial information. Personally identifiable information (PII) is trivial to manage. It’s often spread across multiple locations and formats and can be challenging to find and classify. Organizations need a modern data discovery and classification solution to identify sensitive data across physical, virtual and public clouds. The Current State of Sensitive Data Discovery and…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…