October 07, 2013, 9:13 AM — Adobe on Thursday admitted that hackers broke into its network and stole personal information, including an estimated 2.9 million credit cards, illustrating the lucrative target that software-by-subscription providers have become to cyber criminals, analysts said today.
"Even before they went to the cloud, bill-you-monthly firms have been a target," said John Pescatore, director of emerging security trends at the SANS Institute, and formerly a Gartner analyst focused on security. "This has been an issue for [Web] hosting providers for years. There are two reasons why. First, they have a trove of credit cards. And second, you know that the cards are good."
Adobe, long a powerhouse in the software industry, has been aggressively promoting Creative Cloud, its software-by-subscription offering, a shift it hopes will "transform our business model and drive higher revenue growth," according to a filing with the U.S. Securities and Exchange Commission (SEC) earlier this year.
Like all software-as-a-service (SaaS), Creative Cloud relies on recurring payments -- monthly or annually -- which for most customers, means providing a credit card. The provider stores that card information so it can charge the customer without sending a traditional bill, and most importantly, waiting for payment.
And those credit cards are valuable to hackers. "The stolen credit card numbers alone could be worth up to $30 million on the black market," said Rajesh Ramanand, the CEO of Signifyd, a Santa Clara, Calif. fraud protection firm, in an email about the Adobe breach.
Adobe isn't the only software maker that's trying to migrate from packaged software sold as with a perpetual license to rental-like subscriptions that must be paid regularly. Microsoft, for example, is working hard to convince customers to adopt its Office 365 subscription service.
SaaS numbers -- of subs and thus credit cards -- have grown significantly at both Adobe and Microsoft, to use two examples. Last month, Adobe said Creative Cloud had 1.03 million subscribers, well on the way toward an end-of-year target of 1.25 million. Also in September, Microsoft said its Office 365 Home Premium -- the version aimed at consumers that requires handing Microsoft a credit card -- had 2 million subscribers, up 100% from a touted 1 million in May.
And the breach will cost Adobe millions in notification and protection costs, as it's promised to reach out to affected customers and provide them with a free year of credit monitoring. "This will cost them $100 per user," said Pescatore, which would mean an expense of almost $300 million.
Adobe disagreed. In a filing with the SEC on Oct. 3, the same day it revealed the network break-in, the company acknowledged the breach but said, "At this time, we do not believe that the attacks will have a material adverse impact on our business or financial results." Not surprisingly, the company also included a caveat, adding, "It is possible, nevertheless, that this incident could have various adverse effects on us."
Other experts were skeptical that the cyber criminals targeted Adobe for its credit card treasure chest.
"The likely aspiration here was more about the fact that Adobe has long been a target, and its products have been very heavily attacked," said Lawrence Pingree of Gartner. "I think they were literally fishing for data and stumbled upon the credit cards. Hackers usually don't know for sure where they'll find data."
Pingree speculated that the probable motivation for breaching Adobe's network was to pilfer account usernames and passwords, not credit cards.
His bet rested on the practice of many users to recycle passwords and even usernames for multiple accounts, including Web email. Armed with the Adobe usernames and passwords -- the company explicitly said only the latter were encrypted -- hackers could either sell those to others or exploit them themselves if they managed to decrypt the passwords.
"Because email is used to reset passwords at banks, usernames and passwords are a treasure trove," said Pingree. "If I can compromise email I can get to almost any service."
Including access to banking online. Equipped with automated tools that ping multiple banks with the purloined username and password, hackers can quickly search for matches, then when one is found, rapidly empty a bank account by wiring funds to their own overseas accounts.
Pingree thought the username/password data was a more lucrative target than credit cards because of the latter industry's sophisticated fraud detection. "The automation deployed by credit card companies understand use patterns of transactions; it's more useful for the bad guys to transfer money out of [bank] accounts."
Chet Wisnieswki, a security researcher with U.K.-based security firm Sophos, faulted Adobe for not encrypting all non-credit card data. "How come you didn't encrypt my birthdate?" asked Wisnieswki rhetorically. "Why encrypt only those things that were required by PCI [the security standard for organizations that handle cardholder information]? My birthdate is part of my identity, too.
"I'm not really on the hook for a stolen credit card," Wisnieswki continued. "But I'm much more concerned about the personal data, about someone using that to get five more credit cards in my name."
But whether or not the attackers targeted Adobe for the credit cards, the fact they did make off with millions is a black eye for the company and its subscription model, the experts agreed.
Adobe recognized that. In the Oct. 3 filing with the SEC, Adobe used stock language to define the risks of a breach, saying one could open the company to litigation and "damage our reputation, result in the loss of customers and harm our business."
Because other companies with far more credit cards -- the analysts cited Amazon as an example, PayPal too -- have not been breached, or at least have not admitted one, the experts contrasted those firms' practices with Adobe's as they reached for an explanation of the latter's failure.
"Companies that grew up in the cloud or e-commerce know that their crown jewels are the customer billing data, so from day one they protected that," said Pescatore. Companies that have shifted from being a software seller to a subscription provider, Pescatore said, don't have that in their DNA. Yet.
The PCI standards, said all three, are simply a baseline, but they're not enough. "PCI are the bare minimum," said Pingree. "Companies with large numbers of credit cards do need to go beyond where most firms go because it's always a big deal when a couple million credit cards go wild."
Even if the hit is mostly from negative publicity, said Wisnieswki.
Wall Street, however, essentially yawned: While Adobe's stock price dropped 1.4% last Thursday, on Friday it rebounded, closing to two cents under Thursday's opening price.
But Pescatore is not a Wall Street analyst, and had harsher words for Adobe and other companies that, while they admitted breaches, said virtually nothing of what they would do to make sure it didn't happen again.
"We will work aggressively to prevent these types of events from occurring in the future," said Adobe in a Thursday blog post.
"I think we're beyond the point where these disclosures are valuable," said Pescatore. "Companies need to tell us why the breach happened and why it's not going to happen again. When a hamburger joint says rat meat was found in a customer's burger, it's not enough to just tell all the customers, 'Hey, we found rat meat.' What you want to hear is why it won't be in your burger if you go there again.
"[The Adobe hack] is like thieves breaking into a rat-burger company and stealing the personal information of everyone who bought the rat-burgers," Pescatore concluded.
Unappetizing. But then, so is the prospect of pouring over credit card statements and changing who knows how many account credentials.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about security in Computerworld's Security Topic Center.