Adobe will pay just $ 1 million to settle a lawsuit filed by 15 state attorneys general over its massive 2013 data breach that exposed the payment records of around 38 million people. In other news, the 39-year-old Dutchman tasked with coordinating a multi-week epic distributed denial of service attack against spam provider Spam house in 2013 will avoid jail time for his crimes thanks to a court ruling in Amsterdam this week.
October 3, 2013, KrebsOnSecurity broke the story that Adobe had just suffered a breach in which hackers siphoned off usernames, passwords and payment card data from 38 million customers. Hackers have also stolen digital trucks of source code for some of Adobe’s most valuable software properties, including Adobe acrobat and Reader, Photoshop and Cold fusion.
Monday, November 11 North Carolina Attorney General Roy Cooper joins its counterparts in 14 other states in announce a million dollar settlement with Adobe for the 2013 violation. Cooper said the hacked Adobe servers contained the personal information of approximately 552,000 residents of the 15 participating states. This comes down to about $ 1.80 per victim in the 15 states.
According to A declaration through Massachusetts Attorney General Maura Healey, “A state investigation revealed that in September 2013, Adobe received an alert that the hard drive on one of its application servers was approaching capacity. Upon responding to the alert, Adobe learned that an unauthorized attempt was underway to decrypt customer payment card numbers held on the server.
“Adobe discovered that one or more unauthorized intruders compromised a public web server and used it to access other servers on Adobe’s network, including areas where Adobe stored consumer data,” reads the press release from Healey’s office. “The intruder (s) ultimately stole consumer data from Adobe’s servers, including encrypted payment card numbers and expiration dates, names, addresses, phone numbers, e-mail addresses. mail, usernames (Adobe IDs) and passwords associated with usernames. “
When I think of the Adobe violation, I remember this scene from the 1982 Spielberg horror classic “Fighting spirit,” when Craig T. Nelson like “Steve freeling»Seizes the horrified neighborhood promoter Mr. Teague by his coat collars and screams, “You son of a bitch!” You moved the cemetery but left the bodies, didn’t you ?! You left the bodies and you only moved the tombstones !! Why?!?!?! Why yyyyyeeeee ??!?!? ”
Likewise, Adobe had multiple storefronts for its various software products, but eventually centralized many store operations. The main problem was that the company left copies of its customer records in multiple internal network locations that were no longer as secure as Adobe’s centralized global storefront.
Cooper of North Carolina said in A declaration on the regulation that business and government must do more to protect consumer data. But if this regulation were intended to deter other businesses from hosting customer payment data on public web servers, the fine could be more effective if it was more proportional to the size of the business and the number of customers. affected customers.
As Notes on digital trends, such a violation under the new General Data Protection Regulation entered into force in 2018, would be a little more expensive. “Adobe could face fines of up to four percent of its annual global revenue,” wrote Jonathan keane for DT. “The last time we checked, Adobe’s previous quarterly revenue was $ 1.4 billion.”
Keane also notes that Adobe had already settled a similar case in California for an undisclosed amount and $ 1.1 million in legal fees.
An interesting nugget tucked away at the end of the statement from the office of North Carolina AG is as follows: More than 3,700 breaches affecting nearly 10 million North Carolinians have been reported since the state’s data breach notification law came into effect in 2005, including 677 violations reported so far in 2016. According to the United States Census Bureau, there were just over 10 million people in North Carolina in July 2015.
This means that almost everyone in North Carolina has been affected by at least one data breach in the past 12 years. I would bet that’s true for just about every state in the union, and probably several times for some. A handful of lucky states have experienced unique offenses that affected all citizens at once.
In 2012, a phishing attack on a South Carolina Department of Revenue employee allowed intruders to steal the social security numbers and other personal data of 3.8 million electronic filers, as well as 1.9 million dependents. Still in this breach, nearly 700,000 businesses, 3.3 million bank accounts and 5,000 expired credit cards have been compromised. As of July 2015, South Carolina had a population of less than five million, according to the Census Bureau.
SVEN OLAF KAMPHUIS – alias “Prince of the Cyberbunker Republic”
In March 2013, a coalition of spam-friendly spammers and hosting companies pooled their resources to launch what would become the world’s largest Distributed Denial of Service (DDoS) attack The internet had never witnessed. The attack briefly took the world’s largest anti-spam organization offline and caused extensive collateral damage to innocent passers-by. Here’s a never-before-seen glimpse into how this attack unfolded, and a rare glimpse into the dark cybercrime forces that orchestrated it.
This paragraph above was the thread of a story I published in August 2016, “Inside the attack that nearly broke the internetIts star member was a colorful Dutchman named Sven Olaf Kamphuis who ran a technology services company called CB3ROB. This CB3ROB in turn provided services to a Dutch company called ‘CyberbunkerSo named because the organization was reportedly housed in a five-story NATO bunker and because it advertised its services as a bulletproof hosting provider.
Kamphuis honestly seemed to believe his Cyberbunker was sovereign territory, even signing his “Prince of Cyberbunker Republic” emails. Arrested in Spain in April 2013 in connection with the attack on Spamhaus, Kamphuis was subsequently extradited to the Netherlands for trial. He has publicly denied being part of the attacks, but the chat logs with him coordinating the attack with co-conspirators are quite damning given that he didn’t even use aliases in the talks and posted live. his campaign of terror on his Facebook account. .
Nevertheless, a judge in Amsterdam this week sentenced Kamphuis to a total of 240 days in prison. However, the judge also counted the 55 days that Kamphuis spent waiting for his extradition from Spain and suspended the remaining 185 days. No prison sentence for Kamphuis.
Founder of Spamhaus Steve linford said the organization was disappointed with the conviction and warned Kamphuis of any thoughts of retaliation.
“We were hoping for a longer jail term to send the message that organizing and carrying out DDoS attacks is a crime unacceptable to the courts or to society, but the ease with which Kamphuis was arrested and extradited, and both months already spent in prison will be I hope I conveyed the message to him that there is no escape from the law if he attempts attacks in the future, “Linford wrote in an email.” Since the remainder of the sentence is a conditional sentence, any action or threat made against Spamhaus during the sentence would be filed with the court as a violation of the terms of the conditional sentence. “
The only other person charged in connection with the biggest attack the internet had ever seen at the time was Sean Nolan McDonough, alias “narko” in the chat logs referenced in the snippet illustrated above.
Narko was a minor when he was arrested by the UK National Crime Agency (ANC); when the NCA raided Narko’s home, they discovered his computer was still connected to criminal forums and seized £ 70,000 from his bank account (which would be payments for DDoS attacks). Narko later pleaded guilty to coordinating the attacks and was sentenced to 240 hours of community service, but due to his age and in return for his cooperation with the NCA, he was avoided jail time.
This sentence sends the wrong message and misses the mile mark. The message that we as an internet user society continue to send through our reluctance to punish people for these crimes is, “Hey, if you are involved in serious disruption of networks and commerce? through botnet attacks you don’t have to worry because you “I’ll never be sued … or if you are, the punishment will be community service or nothing.” “
Neither the two 18-year-old Israelis arrested in September for their role in selling massively profitable products Attack service for vDOS rental logging off websites have been charged by the Israeli, British or American governments. The hammer has not yet fallen on lobbying officials the record attack of 620 Gpbs on my site, or the person (s) involved in the attack on Dynam which disrupted service for some of the major web destinations. I fear that the cogs of justice are still creaking too slowly in this internet age for the threat of lawsuits to have an immediate deterrent effect on online hooliganism in the here and now.