Adobe pays US$1.2M plus settlements to end 2013 breach class action

Popped Photoshop factory happy to see court case end.

Adobe has paid an undisclosed amount to settle customer claims and faces US$1.2 million in legal fees after its 2013 data breach which compromised the details of 38 million users.

The creative content king was served a November 2013 class action lawsuit filed in California in which it is claimed "shoddy" security practises lead to the breach.

The breach occurred when hackers raided a backup server on which they found, and subsequently published, a 3.8GB file containing 152 million usernames and poorly-encrypted passwords, plus customers' credit card numbers.

Adobe initially reported the breach affecting three million users and later increased that figure to 38 million.

The company knew its security practices at the time were poor since it used the same encryption key for all passwords.

It had not deployed a new encryption system nor decommissioned the old backup server by the time of the breach.

US District Judge Lucy Koh rejected Adobe's request to dismiss the action because the impact to users was "very real" despite the plaintiff's inability to prove Adobe failed to inform them of the breach fast enough.

Court documents [PDF] [PDF] published by CourtHouseNews, a news service for legal eagles, show Adobe will pay US$1.18 million in attorney fees and expenses covering some 2540 hours of work.

Judge Koh granted a voluntary dismissal of class action claims after Adobe and plaintiffs agreed on an undisclosed settlement.

An Adobe spokesperson told the publication it is "pleased" to have the case resolved. ®

Send us news

British Airways, Boots, BBC payroll data stolen in MOVEit supply-chain attack

Microsoft blames Russian Clop ransomware crew for theft of staff info

Apria Healthcare says potentially 2M people caught up in IT security breach

Took two years to tell us 'small number of emails' accessed

More UK councils caught by Capita's open AWS bucket blunder

As for March megabreach? M&S and Guinness maker Diageo warn pension members about data risks

Barracuda Email Security Gateways bitten by data thieves

Act now: Sea-themed backdoor malware injected via .tar-based hole

Uncle Sam wants DEF CON hackers to pwn this Moonlighter satellite in space

'World's first and only' orbiting infosec playpen due to blast off Sunday

Dish confirms 300,000 people's data was exposed in February's attack

But don't worry – we know it was deleted. Hmm. How would you know that?

It's 2023 and Sri Lanka doesn't have a cyber security authority

All should change this year as the country passes its Cyber Security Bill

Microsoft Windows edges closer to SMB security signing fully required by default

'This is certainly the biggest change we've made since the campaign to remove SMB1'

Deployed publicly accessible MOVEit Transfer? Oh no. Mass exploitation underway

Time to MOVEit, MOVEit. We don't like to MOVEit, MOVEit

Toyota admits to yet another cloud leak

Also, hackers publish RaidForum user data, Google's $180k Chrome bug bounty, and this week's vulnerabilities

Dark Pink cyber-spies add info stealers to their arsenal, notch up more victims

Not to be confused with K-Pop sensation BLACKPINK, gang pops military, govt and education orgs

Millions of Gigabyte PC motherboards backdoored? What's the actual score?

It's the 2020s and we're still running code automatically fetched over HTTP