Adobe pays US$1.2M plus settlements to end 2013 breach class action

Adobe has paid an undisclosed amount to settle customer claims and faces US$1.2 million in legal fees after its 2013 data breach which compromised the details of 38 million users.

The creative content king was served a November 2013 class action lawsuit filed in California in which it is claimed "shoddy" security practises lead to the breach.

The breach occurred when hackers raided a backup server on which they found, and subsequently published, a 3.8GB file containing 152 million usernames and poorly-encrypted passwords, plus customers' credit card numbers.

Adobe initially reported the breach affecting three million users and later increased that figure to 38 million.

The company knew its security practices at the time were poor since it used the same encryption key for all passwords.

It had not deployed a new encryption system nor decommissioned the old backup server by the time of the breach.

US District Judge Lucy Koh rejected Adobe's request to dismiss the action because the impact to users was "very real" despite the plaintiff's inability to prove Adobe failed to inform them of the breach fast enough.

Court documents [PDF] [PDF] published by CourtHouseNews, a news service for legal eagles, show Adobe will pay US$1.18 million in attorney fees and expenses covering some 2540 hours of work.

Judge Koh granted a voluntary dismissal of class action claims after Adobe and plaintiffs agreed on an undisclosed settlement.

An Adobe spokesperson told the publication it is "pleased" to have the case resolved. ®