Adobe hack shows subscription software vendors lucrative targets
Hackers jack 3 million credit cards, many tied to Creative Cloud software-by-subscription service
Computerworld - Adobe on Thursday admitted that hackers broke into its network and stole personal information, including an estimated 2.9 million credit cards, illustrating the lucrative target that software-by-subscription providers have become to cyber criminals, analysts said today.
"Even before they went to the cloud, bill-you-monthly firms have been a target," said John Pescatore, director of emerging security trends at the SANS Institute, and formerly a Gartner analyst focused on security. "This has been an issue for [Web] hosting providers for years. There are two reasons why. First, they have a trove of credit cards. And second, you know that the cards are good."
Adobe, long a powerhouse in the software industry, has been aggressively promoting Creative Cloud, its software-by-subscription offering, a shift it hopes will "transform our business model and drive higher revenue growth," according to a filing with the U.S. Securities and Exchange Commission (SEC) earlier this year.
Like all software-as-a-service (SaaS), Creative Cloud relies on recurring payments -- monthly or annually -- which for most customers, means providing a credit card. The provider stores that card information so it can charge the customer without sending a traditional bill, and most importantly, waiting for payment.
And those credit cards are valuable to hackers. "The stolen credit card numbers alone could be worth up to $30 million on the black market," said Rajesh Ramanand, the CEO of Signifyd, a Santa Clara, Calif. fraud protection firm, in an email about the Adobe breach.
Adobe isn't the only software maker that's trying to migrate from packaged software sold as with a perpetual license to rental-like subscriptions that must be paid regularly. Microsoft, for example, is working hard to convince customers to adopt its Office 365 subscription service.
SaaS numbers -- of subs and thus credit cards -- have grown significantly at both Adobe and Microsoft, to use two examples. Last month, Adobe said Creative Cloud had 1.03 million subscribers, well on the way toward an end-of-year target of 1.25 million. Also in September, Microsoft said its Office 365 Home Premium -- the version aimed at consumers that requires handing Microsoft a credit card -- had 2 million subscribers, up 100% from a touted 1 million in May.
And the breach will cost Adobe millions in notification and protection costs, as it's promised to reach out to affected customers and provide them with a free year of credit monitoring. "This will cost them $100 per user," said Pescatore, which would mean an expense of almost $300 million.
Adobe disagreed. In a filing with the SEC on Oct. 3, the same day it revealed the network break-in, the company acknowledged the breach but said, "At this time, we do not believe that the attacks will have a material adverse impact on our business or financial results." Not surprisingly, the company also included a caveat, adding, "It is possible, nevertheless, that this incident could have various adverse effects on us."
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts