Skip the navigation

Adobe hack shows subscription software vendors lucrative targets

Hackers jack 3 million credit cards, many tied to Creative Cloud software-by-subscription service

October 7, 2013 06:44 AM ET

Computerworld - Adobe on Thursday admitted that hackers broke into its network and stole personal information, including an estimated 2.9 million credit cards, illustrating the lucrative target that software-by-subscription providers have become to cyber criminals, analysts said today.

"Even before they went to the cloud, bill-you-monthly firms have been a target," said John Pescatore, director of emerging security trends at the SANS Institute, and formerly a Gartner analyst focused on security. "This has been an issue for [Web] hosting providers for years. There are two reasons why. First, they have a trove of credit cards. And second, you know that the cards are good."

Adobe, long a powerhouse in the software industry, has been aggressively promoting Creative Cloud, its software-by-subscription offering, a shift it hopes will "transform our business model and drive higher revenue growth," according to a filing with the U.S. Securities and Exchange Commission (SEC) earlier this year.

Like all software-as-a-service (SaaS), Creative Cloud relies on recurring payments -- monthly or annually -- which for most customers, means providing a credit card. The provider stores that card information so it can charge the customer without sending a traditional bill, and most importantly, waiting for payment.

And those credit cards are valuable to hackers. "The stolen credit card numbers alone could be worth up to $30 million on the black market," said Rajesh Ramanand, the CEO of Signifyd, a Santa Clara, Calif. fraud protection firm, in an email about the Adobe breach.

Adobe isn't the only software maker that's trying to migrate from packaged software sold as with a perpetual license to rental-like subscriptions that must be paid regularly. Microsoft, for example, is working hard to convince customers to adopt its Office 365 subscription service.

SaaS numbers -- of subs and thus credit cards -- have grown significantly at both Adobe and Microsoft, to use two examples. Last month, Adobe said Creative Cloud had 1.03 million subscribers, well on the way toward an end-of-year target of 1.25 million. Also in September, Microsoft said its Office 365 Home Premium -- the version aimed at consumers that requires handing Microsoft a credit card -- had 2 million subscribers, up 100% from a touted 1 million in May.

And the breach will cost Adobe millions in notification and protection costs, as it's promised to reach out to affected customers and provide them with a free year of credit monitoring. "This will cost them $100 per user," said Pescatore, which would mean an expense of almost $300 million.

Adobe disagreed. In a filing with the SEC on Oct. 3, the same day it revealed the network break-in, the company acknowledged the breach but said, "At this time, we do not believe that the attacks will have a material adverse impact on our business or financial results." Not surprisingly, the company also included a caveat, adding, "It is possible, nevertheless, that this incident could have various adverse effects on us."

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!