X

Federal Court Allows Class Action over Adobe’s Data Breach Move Forward

Summary: Adobe fails to dismiss class action lawsuit over its 2013 data breach where the personal and credit card and debit card information of millions of customers had been compromised and hackers romped undetected for months within the company’s networks.

The U.S. District Court for the Northern District of California, San Jose Division, has granted in part and denied in part Adobe Inc.’s motion to dismiss the class action filed against the company over its 2013 data breach. In 2013, hackers were successful in breaching Adobe’s security systems and collected personal information of customers including their credit card information. Plaintiffs sued Adobe.

In response, Adobe moved for dismissal of the lawsuit, but the federal court, San Jose, granted Adobe’s petition only in part allowing the plaintiffs to move forward with their claims.

Court documents show that from July 2013 to August 2013, hackers regularly accessed Adobe’s network without being detected, and by August they reached the databases containing the personal information of customers, as well as source code repositories of Adobe products. The hackers kept removing customer data undetected and unchecked until September, when independent security researchers found Adobe source code on the Internet and reached conclusions about a data breach.

Adobe admitted the security breach finally on October 3, 2013, by which time the personal information of at least 38 million customers had been compromised. Stolen information included credit and debit card numbers, expiration dates, email addresses, login IDs, passwords and etcetera.

Following the data breach researchers concluded Adobe’s security practices were deeply flawed and did not conform to industry standards; the encryption was poorly implemented, and independent researchers were able to decrypt a substantial portion of the stolen passwords quickly. The company also failed to employ intrusion detection systems, or implement user or network level system controls.

The plaintiffs, who are Adobe customers, sued Adobe for violating the Customer Records Act, unfair business practices and declaratory relief. Adobe argued the plaintiffs lacked locus standi, but the court found that all plaintiffs except two had paid a premium for Adobe’s products and could expect premium security and had the necessary standing to bring their claims.

Shamelessly, the company argued that its lax security was a well-publicized matter and therefore consumers should have been aware of the risks. But Judge Lucy Koh observed, “It is one thing to have a poor reputation for security in general, but that does not mean that Adobe’s specific security shortcomings were widely known. None of the press reports Adobe identifies discusses any specific security deficiencies … Furthermore, the exact nature of what was in the public domain regarding Adobe’s security practices is a question of fact not properly resolved on a motion to dismiss.”

If you are interested in information technology attorney jobs, click here to browse current openings on LawCrossing.

Scott: