Adobe fined $1.3m for 2013 mega data breach

Software vendor Adobe Systems has been fined US$1 million (A$1.33 million) for the massive 2013 data breach that saw close to 153 million user credentials leaked onto the internet.

The fine will be shared amongst the 15 American states that investigated Adobe over the data breach.

North Carolina attorney-general Roy Cooper said more than 50,000 individuals in his state were affected by the breach. 

In total, the 15 states said approximately 552,000 residents had encrypted payment card data taken, along with names, addresses, telephone numbers, email addresses, user names and other data.

The fine is to penalise Adobe for not employing "reasonable security mesasures to protect its systems and personal information on them from an attack that originated at the public-facing server," the office of Ohio's attorney-general said [pdf].

Beyond the monetary penalty, Adobe has been ordered not to store payment information on public-facing servers.

The company must also employ tokenisation for all adobe.com merchant ID payment card numbers processed using the site ID, and perform ongoing risk assessments of security practices and penetration testing.

Employee training in security policies, and an alert process to monitor Adobe's exfiltration reporting sources is also now required by the company.

Adobe must provide an audit report to the attorneys-general of the 15 states to show it has complied with the mandated security measures.

In August last year, Adobe settled a class action law suit brought by those affected by the mega hack. The amount it paid out has been kept secret.