Skip the navigation

Adobe hack shows subscription software vendors lucrative targets

Hackers jack 3 million credit cards, many tied to Creative Cloud software-by-subscription service

October 7, 2013 06:44 AM ET

Computerworld - Adobe on Thursday admitted that hackers broke into its network and stole personal information, including an estimated 2.9 million credit cards, illustrating the lucrative target that software-by-subscription providers have become to cyber criminals, analysts said today.

"Even before they went to the cloud, bill-you-monthly firms have been a target," said John Pescatore, director of emerging security trends at the SANS Institute, and formerly a Gartner analyst focused on security. "This has been an issue for [Web] hosting providers for years. There are two reasons why. First, they have a trove of credit cards. And second, you know that the cards are good."

Adobe, long a powerhouse in the software industry, has been aggressively promoting Creative Cloud, its software-by-subscription offering, a shift it hopes will "transform our business model and drive higher revenue growth," according to a filing with the U.S. Securities and Exchange Commission (SEC) earlier this year.

Like all software-as-a-service (SaaS), Creative Cloud relies on recurring payments -- monthly or annually -- which for most customers, means providing a credit card. The provider stores that card information so it can charge the customer without sending a traditional bill, and most importantly, waiting for payment.

And those credit cards are valuable to hackers. "The stolen credit card numbers alone could be worth up to $30 million on the black market," said Rajesh Ramanand, the CEO of Signifyd, a Santa Clara, Calif. fraud protection firm, in an email about the Adobe breach.

Adobe isn't the only software maker that's trying to migrate from packaged software sold as with a perpetual license to rental-like subscriptions that must be paid regularly. Microsoft, for example, is working hard to convince customers to adopt its Office 365 subscription service.

SaaS numbers -- of subs and thus credit cards -- have grown significantly at both Adobe and Microsoft, to use two examples. Last month, Adobe said Creative Cloud had 1.03 million subscribers, well on the way toward an end-of-year target of 1.25 million. Also in September, Microsoft said its Office 365 Home Premium -- the version aimed at consumers that requires handing Microsoft a credit card -- had 2 million subscribers, up 100% from a touted 1 million in May.

And the breach will cost Adobe millions in notification and protection costs, as it's promised to reach out to affected customers and provide them with a free year of credit monitoring. "This will cost them $100 per user," said Pescatore, which would mean an expense of almost $300 million.

Adobe disagreed. In a filing with the SEC on Oct. 3, the same day it revealed the network break-in, the company acknowledged the breach but said, "At this time, we do not believe that the attacks will have a material adverse impact on our business or financial results." Not surprisingly, the company also included a caveat, adding, "It is possible, nevertheless, that this incident could have various adverse effects on us."



Our Commenting Policies