Security

Adobe pays US$1.2M plus settlements to end 2013 breach class action

Popped Photoshop factory happy to see court case end.


Adobe has paid an undisclosed amount to settle customer claims and faces US$1.2 million in legal fees after its 2013 data breach which compromised the details of 38 million users.

The creative content king was served a November 2013 class action lawsuit filed in California in which it is claimed "shoddy" security practises lead to the breach.

The breach occurred when hackers raided a backup server on which they found, and subsequently published, a 3.8GB file containing 152 million usernames and poorly-encrypted passwords, plus customers' credit card numbers.

Adobe initially reported the breach affecting three million users and later increased that figure to 38 million.

The company knew its security practices at the time were poor since it used the same encryption key for all passwords.

It had not deployed a new encryption system nor decommissioned the old backup server by the time of the breach.

US District Judge Lucy Koh rejected Adobe's request to dismiss the action because the impact to users was "very real" despite the plaintiff's inability to prove Adobe failed to inform them of the breach fast enough.

Court documents [PDF] [PDF] published by CourtHouseNews, a news service for legal eagles, show Adobe will pay US$1.18 million in attorney fees and expenses covering some 2540 hours of work.

Judge Koh granted a voluntary dismissal of class action claims after Adobe and plaintiffs agreed on an undisclosed settlement.

An Adobe spokesperson told the publication it is "pleased" to have the case resolved. ®

Send us news
10 Comments

What does it mean to build in security from the ground up?

As if secure design is the only bullet point in a list of software engineering best practices

Trump admin's purge of US cyber advisory boards was 'foolish,' says ex-Navy admiral

‘No one was kicked off the NTSB in the middle of investigating a crash’

Google: How to make any AMD Zen CPU always generate 4 as a random number

Malicious microcode vulnerability discovered, fixes rolling out for Epycs at least

Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant'

When cloud customers don't clean up after themselves, part 97

Medical monitoring machines spotted stealing patient data, users warned to pull the plug ASAP

PLUS: MGM settles breach suits; AWS doesn't trust you with security defaults; A new .NET backdoor; and more

DeepSeek's iOS app is a security nightmare, and that's before you consider its TikTok links

PLUS: Spanish cops think they've bagged NATO hacker; HPE warns staff of data breach; Lazy Facebook phishing, and more!

Guess who left a database wide open, exposing chat logs, API keys, and more? Yup, DeepSeek

Oh someone's in DeepShi...

Infosec was literally the last item in Trump's policy plan, yet major changes are likely on his watch

Everyone agrees defense matters. How to do it is up for debate

Google's 7-year slog to improve Chrome extensions still hasn't satisfied developers

Makers of content blockers, privacy add-ons say promises weren't kept

Grubhub serves up security incident with a side of needing to change your password

Contact info and partial payment details may be compromised

Amazon, Google asked to explain why they were serving ads on sites hosting CSAM

And US government adverts at that, say senators

Federal judge tightens DOGE leash over critical Treasury payment system access

Lawsuit: 'Scale of intrusion into individuals' privacy is massive and unprecedented'