For Immediate Release - November 15, 2016

Adobe to Pay $1 Million, Update Security Policies to Resolve Multistate Investigation Into Data Breach

Massachusetts to Receive More than $70,000 for Breach that Affected Thousands of Residents

BOSTON – Resolving a multistate investigation into a 2013 data breach that involved the personal information of more than 50,000 Massachusetts residents, software company Adobe Systems, Inc. (Adobe) has @inlinemarker@agreed to pay $1 million and implement new policies and practices to prevent future breaches pdf format of Adobe AOD
file size 7MB@inlinemarker@, Attorney General Maura Healey announced today. Massachusetts will receive more than $70,000 from the settlement.

An investigation by the states revealed that in September 2013, Adobe received an alert that the hard drive for one of its application servers was nearing capacity. In responding to the alert, Adobe learned that an unauthorized attempt was being made to decrypt customer payment card numbers maintained on the server. 

“Consumers who entrust a company with their personal data should have that trust respected,” said AG Healey. “Adobe put consumers’ personal data at risk of being compromised by a data breach, and that is unacceptable. This settlement will put in place important new practices to ensure that a breach like this does not happen again.”

After an internal investigation, Adobe discovered that one or more unauthorized intruder(s) had compromised a public-facing web server and used it to access other servers on Adobe’s network, including areas where Adobe stored consumer data. The intruder(s) ultimately stole consumer data from Adobe’s servers, including encrypted payment card numbers and expiration dates, names, addresses, telephone numbers, e-mail addresses, usernames (Adobe IDs), and passwords associated with the usernames.

The states allege that the nature of the attack was foreseeable and that contrary to Adobe’s representations to its customers, it did not take reasonable steps to protect consumers’ personal information, or to promptly detect the attack and prevent the theft of consumers’ data.  The states allege that the data breach of certain Adobe servers included those containing the personal information of approximately 534,000 residents of the participating states, including approximately 53,000 Massachusetts residents.

The @inlinemarker@agreement pdf format of Adobe AOD
file size 7MB@inlinemarker@ resolves consumer protection and data security and privacy claims against the company and requires Adobe to implement new policies and practices to prevent future similar breaches.

For information on how consumers can guard themselves from potential identity theft and steps to protect themselves if they are a victim of identity theft, consumers may contact the AG’s consumer specialists at 617-727-8400, review identity theft protection tips on the AG’s website or view the Federal Trade Commission's identity theft resource, available at

The states that participated in the investigation and joined the agreement are Arkansas, Connecticut, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North Carolina, Ohio, Oregon, Pennsylvania and Vermont.

Director of Data Security & Privacy and Assistant Attorney General Sara Cable of AG Healey’s Consumer Protection Division handled this matter for Massachusetts.