Data Breach , Litigation

Adobe Systems will pay a $1 million settlement to 15 states for its 2013 data breach, which at the time was one of the largest known breaches of user account data.

See Also: Secrets to a Simpler Security Incident Response

The settlement resolves consumer protection, data security and privacy claims against the company," Massachusetts' Attorney General's office says in a statement. It also requires Adobe to put in place defenses to better protect data.

Parties to the agreement are Arkansas, Connecticut, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North Carolina, Ohio, Oregon, Pennsylvania and Vermont, where a total of 534,000 victims lived. The settlement works out to be less than $2 per victim.

"It is good to see that the states tried to recover losses sustained by some of their residents, but it is unlikely scalable to the actual losses sustained by many consumers," says Alex Holden, CISO at Hold Security, who discovered Adobe's breach.

38 Million Accounts Affected

Adobe disclosed a series of data breaches in October 2013. It initially believed that only 2.9 million accounts were affected, but three weeks later said the breach involved 38 million active accounts. The full stolen data, a 3.8GB file, contained 153 million accounts.

The stolen data included names, addresses, phone numbers, email addresses, usernames and encrypted payment card numbers and expiration dates.

The states alleged that Adobe "did not take reasonable steps to protect consumers' personal information or to promptly detect the attack and prevent the theft," according to Massachusetts' Attorney General's office.

The money will be split among the states depending on the number of victims who reside in each. For example, North Carolina, whose attorney general's office released a statement on the settlement, will get more than $71,000 for its 52,734 victims. Massachusetts says its share is more than $70,000 for 53,000 victims.

The financial penalty in the settlement probably pales in comparison to the legal fees Adobe has incurred, says Troy Hunt, an Australian data breach experts who runs the Have I Been Pwned breach notification website.

"I think the most interesting thing about this is here we are three years later, and the saga is still playing out," Hunt says. "$1 million doesn't seem like much. You have to wonder what three years of lawyers and court wrangling would have added up to."

In 2015, Adobe chose to settle a class-action suit filed in federal court in California related to the 2013 breach. The terms of the settlement were not disclosed, but Adobe ended up paying $1.2 million of the plaintiffs' legal fees (see Adobe Plans to Settle Breach Lawsuit).

Source Code Also Stolen

The breach occurred after attackers compromised one of Adobe's public-facing web servers and then used that access to move laterally through its network, according to the Massachusetts Attorney General's office. Adobe "received an alert that the hard drive for one of its application servers was nearing capacity," it says.

"In responding to the alert, Adobe learned that an unauthorized attempt was being made to decrypt customer payment card numbers maintained on the server," according to the statement.

The attackers also stole Adobe source code, which was also discovered by Holden. He found the code stashed on a server run by a hacking gang. The source code had been encrypted, or stolen in that fashion, but the files were left unprotected on the server when Holden found it.

The theft of source code, which included Adobe's ColdFusion web server software, is almost an incalculable loss that also likely caused financial issues for other customers not party to the settlement, Holden says. It's possible hackers could develop zero-day exploits from the ColdFusion source code, he says.

"Exploitations of Adobe's web server product ColdFusion led to thousands of sites being compromised and losses of even more data," Holden says.

HIPAA/HITECH , Privacy , Risk Management

If President-elect Donald Trump fulfills a campaign promise of repealing Obamacare - which could result in the dismantling of HealthCare.gov and state health insurance exchanges - great caution will be needed to protect the data of millions of consumers contained in those systems.

See Also: Avoid Theft of Your Privileged Credentials

Meanwhile, a new federal watchdog report reviewing the security of the state of New York's health insurance exchange shows some security shortcomings in the existing Obamacare system. The review by the U.S. Department of Health and Human Services' Office of Inspector General is the latest of several Obamacare-related data security reports issued in recent years by watchdog agencies.

Protecting Privacy

Even if Obamacare, officially known as the Affordable Care Act, is repealed, "I don't believe the current approach of security and privacy management will change," says Curt Kwak, former CIO at the Washington state health insurance exchange and now CIO of Proliance Surgeons in Seattle. "It will be a long change management process with the same level of scrutiny and focus that we have always placed on consumer data, including PHI. I would suspect it would be like changing any critical large system, which is to focus on data initially, safeguard and archive, before any work on the system begins."

Also, some data handled by the state-based exchanges is obtained through federal systems, including the Internal Revenue Service and Centers for Medicare and Medicaid Services, as well as state agencies, he notes. "These systems are as locked down as you are going to get, governed by the government. ... So as long as there is leadership and full accountabilities established to all parties, I think it will be OK."

Mac McMillan, CEO of security consultancy CynergisTek, says that if Obamacare is repealed, the most important security measure "will be the proper disposition of the data, sanitization of systems and the eventual destruction of the information itself. But before that, there is a more important question regarding the disposition of this information as part of the individuals' health history or record."

The Next Steps

The concern in the repeal of Obamacare resulting in the discontinuation of Healthcare.gov and related systems at many states "are the same faced by the dismantlement or shutting down of any program or business handling sensitive or in this case patient information," McMillan says. "Care will need to be taken to first preserve the information, then protect the data, and eventually distribute/restore it as part of that person's record once they have alternative coverage."

Any potential dismantling of systems associated with health insurance exchanges under Obamacare - if it's, indeed, repealed - would require the same level of caution to protect data that any healthcare entity or business associate would need to exercise if any of their business operations were to cease, McMillan says.

"If an entity goes out of business they should return the information to the covered entity who owns it and properly sanitize all systems before disposing of them," McMillan says. "If an organization retires/migrates a system, they are still obligated under the [HIPAA] rule to retain the information and/or follow the disposition instructions of the covered entity who owns the data."

If health insurance exchange systems will no longer need to store PHI, "the data needs to be wiped in a manner that complies with HIPAA requirements for media reuse and disposal," notes Keith Fricke, partner and principle consultant at tw-Security.

But even before systems are potentially dismantled, data needs to be protected during in-between stages of discontinued operations, he notes. "Take the systems offline and restrict physical and electronic access until the data are properly disposed of," he suggests.

Similar Challenges

The processes and procedures that would be needed to protect Obamacare-related data if the law is repealed are similar to what covered entities and business associates deal with when faced with operations or business shutdowns.

"The processes for proper destruction/sanitization still apply," McMillan says. "If the entity is retaining the retired system as an archive, then steps should be taken to encrypt the data if not done so already, to limit access and to remove from the production environment so it is not accessible without review/permission."

Even when covered entities or BAs go out of business, Fricke notes, "organizations are still obligated to protect the patient data while in their custody; therefore, all required administrative, physical and technical controls are still in play. Also, contract language for any parties involved should have language addressing termination of relationship and agreed-upon actions to be taken to dispose of data."

Any type of major change introduces risk, says Dan Berger, CEO of the consultancy Redspin. "Many breaches have occurred as a result of servers being left online that were thought to have been disconnected," he points out.

Rigorous planning in advance of the dismantling process - and exceptional execution - are required to ensure that data is protected, Berger notes. "In addition, there has to be an offline data retention plan in place and ultimately an airtight data disposal process," he says.

Of course, a security risk assessment is essential before any major change in infrastructure or systems, Berger adds. "End-of-life is no exception and carries additional considerations for data retention obligations and secure disposal," he says.

New York State Exchange

As for the OIG's review of the New York health insurance exchange, the watchdog agency found that the New York marketplace had implemented many security controls, including policies and procedures, to protect PII on its website and database. "However, it did not always comply with federal requirements. Specifically, the New York marketplace had not adequately secured its website," OIG wrote.

OIG also notes: "Although we did not identify evidence that the vulnerabilities in the New York marketplace's website had been exploited, exploitation could have resulted in unauthorized access to and disclosure of PII, as well as disruption of critical marketplace operations."

OIG says the vulnerabilities could have potentially resulted in the compromise of data confidentiality and integrity as well as jeopardized the availability of the marketplace. In addition, without proper safeguards, the vulnerabilities would leave the systems and network at risk for crimes involving fraud as well as malicious attacks.

One of the key takeaways from OIG's reviews of the Obamacare health insurance exchanges is the paramount importance of website and web application security, Berger says. "In the commercial sector, web application security is a specialized discipline that attracts among the best security engineers in the business. Prudent web app security involves manual testing as vulnerabilities are often the result of business logic flaws, something automated scanners won't always detect."

Other States

OIG's review earlier this year of the security of Minnesota's state-operated health insurance exchange under the Affordable Care Act also revealed various security weaknesses that potentially put sensitive consumer data at risk (see OIG Flags Security Flaws in Two State Health Info Systems).

Also, a GAO report issued in September said undercover testing for the 2016 coverage year found that the eligibility determination and enrollment processes of online healthcare marketplaces in California, Virginia and West Virginia were vulnerable to fraud (see GAO: Obamacare Enrollment Fraud Vulnerabilities Persist).

Highlighting the latest ISMG Security Report: National Institute of Standards and Technology's Ron Ross explains how a new approach employing engineering principles can be used to build secure, trustworthy systems.

In the Security Report, you'll also hear:

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out our Nov. 11 and Nov. 15 reports, which respectively analyzed the cybersecurity challenges Donald Trump faces as the 45th president and how the Trump administration will address health IT security and privacy. The next ISMG Security Report will be posted on Tuesday, Nov. 22.

Theme music for the ISMG Security Report is by Ithaca Audio under the Creative Commons license.