I started off with a headline that said I was livid with Adobe over the hacking debacle. I realised that 'livid' was a gross exaggeration—there are many other situations in this world that make me angry, and this is not one of them—but I am displeased with the manner in which Adobe has conducted itself. I believe Adobe has handled this security breach abysmally and treated its paying customers with contempt. A recap of the facts: on 3 October 2013, Adobe's systems were attacked. It was initially reported that 2.9 million customers suffered the theft of their their user name, encrypted payment card number, and card expiration date. Adobe also had some proprietary sourcecode stolen. Later in the month it was revealed that upto 38 million customers' IDs and encrypted passwords had been taken, with the potential for this number to be even higher, and some Photoshop code went, too. As of last night, we're looking at 150 million stolen users names and encrypted IDs.
Any company that holds millions of users' personal details and credit card numbers is going to be a target for nefarious types who'd like to waltz away with free money and the ability to create havoc elsewhere on the Intergoogles. We saw it happen to Sony. Companies that don't hold users' credit card data are still targets for attack. Twitter knows this to its cost. We all know it's possible. This is why we expect companies to implement robust security protocols in addition to practising adequate password hygiene ourselves. We do our bit to protect ourselves and when we part with money for the privelege of goods or services, we expect those taking our money to safeguard our personal details that they acquire in the process.
But when the worst happens—and never forget that if you can make something, you can break it, too—how a company handles the investigation, responds to the crisis, and communicates to its customers or users becomes all-important. The attack itself was a failing on Adobe's part, but its reponse has been a more significant failing.
I received an email from Adobe on 4 October informing me that its systems had been breached, attackers 'may have obtained access to your Adobe ID and encrypted password,' and I was advised to reset my password. Details were also made available in a blog post by Brad Arkin, Adobe's Chief of Security. I reset my password pretty damn quick. Since then, however, there has been no further communication with me as an Adobe customer either through email or blog. This is despite last week's revelation that the breach was far larger than previously believed and discovering yesterday evening, via LastPass, via Mashable, that my account was one of 150 million that were compromised. There have been no updates, no confirmations, no reminders, and no progress reports. I do understand Adobe's position of only wishing to provide updates on verifiable information, but if such a persistent silence isn't indicative of a complete lack of progress, it lends itself to the suggestion that Adobe would rather that we forgot that this happened.
This veil of secrecy and hope of collective amnesia via silence is in complete contrast to Buffer's response to a security breach at the end of October. Buffer's a social media management system: it allows me and its millions of other users to schedule posts to Twitter, Facebook, LinkedIn, and Google+. On 26 October 2013 it was attacked and several accounts were compromised; they started to spew spam. As soon as the Buffer team became aware, they emailed all of their subscribers, detailing what had occurred to the best of their knowledge, what steps they were taking to rectify the situation, what we needed to do as users, and where we could find updates on the developing situation. Since then users have been provided with an analysis of the breach and the steps taken to secure Buffer.
As far as I can tell, the Buffer team has responded to every email, Twitter post, and blog comment concerning the attack. Buffer's response has been an exercise in transparency and honesty, which appears to have endeared it to people who now feel more confident in the service. I cannot speak similarly of Adobe.
In a professional capacity as a writer, Adobe has corresponded with me further. On 29 October, I published an article covering the increased extent of the breach. Heather Edell, Adobe’s Senior Manager of Corporate Communications, emailed me on 30 October requesting that I make a clarification to the article. She also confirmed that Adobe had chosen not to divulge further details of the attack until they could be verified. Adobe appears to have chosen a path of damage limitation, but with every revelation made by companies or on blogs and websites that aren't Adobe, it is growing increasingly exposed and less in control of the situation.
Adobe has a responsibility to its customers to handle their data securely; when there's a breach, they can expect to be kept informed of what has become of their information, and most importantly, what they can expect Adobe to do now to maintain their security and privacy. This expectation of security is even more important now that many of Adobe's products are issued on a rolling subscription basis, rather than being available in stand-alone, single purchase format. If customers want to use Adobe products, they have no option other than to hand over their credit or debit card details. But I'm left wondering how safe it is to do that. Silence doesn't breed trust, transparency does that.