Introduction
Adobe is an American-based organization specializing in developing software products. This company was established in Delaware and had its central business unit in San Jose, California. It is was pioneered by John Warnock, and Charles Geschke and the corporation are famous for having led to the growth of the desktop publishing segment (Wingard, 2021). In its years of development, Adobe experienced several transformations, with approximately 80% of its revenue from application sales (Wingard, 2021). However, in the world of technology, IT-related threats are often rising, with cybercrime being an example. In 2019, Adobe experienced one of the largest data breaches in its history. While the databank was connected and disclosed several confidential information, passwords and financial records were not accessed (Wingard, 2021). This paper explores the recent security breach on Adobe while covering the damages caused and the strategies incorporated to prevent cybercrime in the future.
Overview
The advent of advanced technology has brought several threats in the 21st century. A data breach is an instance where hackers access confidential information without unauthorized access from computer systems. In particular, stolen data may include sensitive, classified, or personal details such as consumer material, credit card numbers, and social security figures (Donalds and Osei-Bryson, 2019). Business organizations have been targets of cybercrimes since the dawn of technological transformations. For example, in 2019, Adobe company experienced a data exposure of about 7 million of its Creative Cloud accounts, subjecting its users to at risk of targeted phishing (Cheng, Liu, and Yao, 2017). The former is computer crime which involves the perpetrator using a disguised email as a weapon aiming to trick their recipients into believing the message is something significant—for example, a request from their banking institution or a link to download a file. Comparitech collaborated with a safety professional Bob Diachenko and discovered the Adobe databank was exposed and individuals without passwords had free access to it. For this realization, the American software company was informed and its network system was secured.
Details of the Breach
US multinational corporation Adobe experienced one of the most significant cybercrimes. In October 2019, its databases were left open, and they were accessible to any individual without a passcode (Wingard, 2021). The company’s popular service, the Adobe Creative Cloud (CC), was the primary target exposed in this incident. With approximately 15 subscribers to this service, Adobe CC is a payment service that gives customers access to the organization’s full suite of well-known presentation software for desktop and mobile, including Lightroom, Premiere Pro, Photoshop, Illustrator, and several others (Wingard, 2021). A security researcher identified as Bob Diachenko played a key role in helping Adobe find solutions to the problem. Diachenko was the person who discovered that Adobe’s information systems were compromised and took the required steps to notify the software giant (Wingard, 2021). As a result, the technology company was able to respond and bar the public from accessing its system while attempting to repair the damage.
Generally, any cybercrime comes with several detrimental effects. The incident did not have immediate consequences since approximately 7.5 million user accounts were not affected (Ihsan and Bintarsari, 2021). Such an incident was vital for the corporation because it acted as a point of correction as the firm prepared for any computer-related crime in the future (Wingard, 2021). Other companies were also able to learn from the incident and strengthen their counter-cybercrime strategies to prevent financial losses, brand reputation, and many other negative consequences.
The exposed user content was not particularly sensitive, but hackers could exploit it to orchestrate phishing campaigns that target Adobe clients whose emails were disclosed. Some of the information that was revealed in the incident were email addresses, subscription status, member identities, account creation date, payment status, and time since login (Wingard, 2021). Due to the company’s fast response from the IT experts who reported the problem, the predicament was contained within a short time.
Damages Caused
In the age of technology at its peaks, several threats have emerged impacting the internet of things. Computer-related crimes come with repercussions, such as the cost of protecting a firm’s information systems (Parrish et al., 2018). Therefore, managers must have large capital investments to protect their corporation from online thieves. A new subculture has also risen from the shadows, referred to as the cyber-activist (Parrish et al., 2018). They are online counterparts of protesters who target various companies. Their goal is to terminate a firm’s online operations to send a message related to the organization’s business practices (Cabaj et al., 2018). In the case of Adobe, this technology giant experienced several detrimental effects as described below.
Damaged Reputation
The period after an incident of a data breach is not easy for corporations. Lots of resources are invested to effectively manage a crisis, with even more time and funds spent on the outcome (Ihsan and Bintarsari, 2021). These overheads include the IT and security teams developing and upgrading a firm’s security architecture while the senior management is conducting digital awareness and training for the employees (Ihsan and Bintarsari, 2021). Moreover, an organization’s public relations group also spends time addressing the customers, key stakeholders, and the public to earn back their trust. Therefore, the way an enterprise handles a data breach directly affects its reputation after its primary activities resume.
For a company as big as Adobe to experience an incident of a data breach, there are several effects that emerge, impacting its reputation. The long-held view is that compromised companies are dismissed by consumers, investors, and stockholders (Parrish et al., 2018). A breach isn’t a short-term glitch as it is a fault and indiscretion which should not be ignored by a company (Parrish et al., 2018). Therefore, in the case of Adobe, its reputation was impacted in several ways. For example, its consumer trust was damaged following the incident.
In risk management, data breaches are portrayed as a public relations and financial disaster. Organizations often identify the intrusion too late and respond ineffectively, resulting in declining sales and journalist outrage (Ihsan and Bintarsari, 2021). According to a survey organized by OnePoll, 86.55% of the respondents reported that they are not likely to do business with a company that has experienced a data breach involving debit/credit card information (Ihsan and Bintarsari, 2021). The CEO of Semafone, a company operating in the United Kingdom, affirmed that the reputational damage experienced by businesses declining to secure personal data translates to financial losses (Wingard, 2021). Therefore, in the case of Adobe, the software giant’s customer relationship and loyalty were undermined following the incident.
Cost Overruns
High-profile instances of data breaches may come with significant financial losses to a company. Adobe issued a statement where its officials admitted to their unsecured server (Wingard, 2021). The company’s representatives blamed the episode on a specific malfunction to a particular category of its prototype environments (Cheng, Liu, &Yao, 2017). Due to this indiscretion, the software syndicate was fined a substantial amount of money, approximately $1 million, which was decided by a law court in North Carolina (Wingard, 2021). The exposure to cybercrime had impacted about half a million clients from various sectors, and the penalty served as a warning to other corporations to ensure reliable cybersecurity techniques (Wingard, 2021). The affected parties in the United States concluded that the software giant had failed in not only their access procedures but also the detection of a threat. According to its financial statement, Adobe agreed to strengthen its cybersecurity strategies by implementing relevant policies and guidelines (Wingard, 2021). Therefore, cybersecurity remains an imperative approach which businesses must consider.
Failure to Meet Deadlines
Adobe was unaware that its database was left open for some time. The American giant’s incident involving the data breach occurred, and its databank was exposed to the public for approximately a week (Wingard, 2021). Therefore, it implies that cybersecurity failed to detect the episode in time to formulate an appropriate strategy and recovery approach to address the situation. Adobe’s security group was unable to meet the deadline of investigating and identifying the threats which exposed its database to the public.
Quality Issues
Quality management is a process of ensuring various activities and tasks are consistent in an organization. This act is a vital aspect of overseeing different elements in a company, and a multinational corporation such as Adobe benefits in the long-run (Parrish et al., 2018). Information technology sector is always exposed to some threats which jeopardize a firm’s operations. For example, in the case of the American software giant, its systems and networks were subjected to an incident involving a data breach, which would have incurred the company financial losses (Ihsan and Bintarsari, 2021). Therefore, ensuring cybersecurity is a challenging process for most contemporary organizations since high-profile data breaches are detrimental (Ihsan and Bintarsari, 2021). Businesses become victims due to insufficient protections applied to their computer systems and network, as in the case of Adobe, where several quality issues contributed to the data breach.
Lack of a Proper Security Culture
In the contemporary world, organizational leaders should normalize the culture of ensuring every employee is conversant with digital skills to improve a firm’s operations. In the case of Adobe, the company seems to have failed in creating an environment that fosters safe practices for managing data on the Internet (Wingard, 2021). According to the details of the incident, security researcher Diachenko believes the company’s servers were accessible to the public for almost a week and anyone without an authorized authentication was able to gain access (Wingard, 2021). Most customers believed that a business as big as Adobe would find it easy to detect an attack early enough to orchestrate a recovery plan that would restore everything to its normal state (Ihsan and Bintarsari, 2021). However, the software giant failed to identify the incident, and such questions its cybersecurity strategies.
Lack of Communication
Another quality issue that can be drawn from the Adobe data breach of 2019 is lack of communication. Today, dissemination of information is one of the most significant parts of running a successful organization (Ihsan and Bintarsari, 2021). Without that, a business is more likely to be affected financially and in other areas. Following the software company’s cyberthreat incident, one can conclude that the company has not mastered the concept of regular communication. In the face of the data breach, Adobe would have acted earlier and accordingly, supposing that the flow of information was consistent (Wingard, 2021). Moreover, the disconnect between a company’s leadership and cybersecurity team can also contribute to the Adobe data breach. Businesses should make it a priority to ensure that each department in a corporate structure can easily communicate with other units (Cabaj et al., 2018). In essence, a firm’s IT team should often report to the business leaders of every aspect of their operations.
Lack of a Competent Security Team
Following Adobe’s woes, quality management experts can conclude the incident was attributed to having incompetent security professionals. In this age of technological transformations, organizations should make it a culture to continually invest in digital education since IT threats are constantly evolving (Ihsan and Bintarsari, 2021). If vital information belonging to the customers from Adobe’s popular asset, the Creative Cloud, could be left open for some time, it means that its security team is not well-equipped to manage the incident (Wingard, 2021). Moreover, the firm’s inability to prioritize cybersecurity threats is also considered in this case. This inconsistency is attributed to a lack of effective leadership to align such priorities to the corporation’s goals and objectives.
How and Why the Breach Occurred
The Adobe data breach of 2019 occurred due to several reasons. On October 19, 2019, a researcher identified as Diachenko discovered the company’s servers had been exposed and vulnerable to hackers (Wingard, 2021). The security expert was working together with a cybersecurity organization recognized as Comparitech, where the two parties realized that the software giant’s famous suite, Adobe CC, had been left open (Wingard, 2021). Comparitech is a security firm specializing in scanning through the internet for possible databases, and it reported to Diachenko and Paul Bischoff, the two individuals who were in-charge and uncovered the threat (Wingard, 2021). However, the company did not exactly state when the database appeared on the internet. Diachenko approximated that it had been left open for almost an hour.
Adobe’s cybersecurity problem occurred as a result of several reasons. For example, due to its cybersecurity officials’ negligence, the company suffered major losses, which also impacted its reputation. A company of Adobe’s size should have the best talent available, working in its security team to ensure the safety of its networks and system to the welfare of the customers (Parrish et al., 2018). Since the Adobe Creative Cloud suite is a widely used product among technology-oriented customers, the company should ensure that it has the best skills from the employees to prevent such an event from happening in the future. Moreover, Adobe had suffered the same effect in 2013 due to another data breach (Wingard, 2021). In essence, cybersecurity also relies on other non-technical features incorporated such as a security culture.
Lack of Preparation
Generally, it seems the software giant was not prepared to face such a situation. In 2013, the company experienced a data breach where usernames and encoded passwords were stolen from approximately 38 million users (Parrish et al., 2018). The software maker issued a statement and revealed that the perpetrators accessed details from various accounts that had not been used for at least two years (Donalds and Osei-Bryson, 2019). Initially, Adobe reported that 2.9 million user accounts were affected, and the hackers stole some elements from Photoshop’s source code (Donalds and Osei-Bryson, 2019). In addition, the software company revealed that the programming statement for its Acrobat document editing software and ColdFusion web app had also been unlawfully accessed (Wingard, 2021). Therefore, organizations should be adequately prepared to prevent future instances of data breaches.
Following these incidents, the enterprise should have made the required changes to prevent such incidents from happening in future, but they failed to do so. In 2019, the software giant suffered the same outcome, but significant damage was not taken this time (Wingard, 2021). Since Adobe faced a similar situation in 2013, the organization should have incorporated several strategies and policies to prevent another instance, such as the one in 2019 (Wingard, 2021). In essence, a corporation should continuously improve and update its contingency plan to prevent, manage, and contain any potential threat which may have devastating consequences.
Measures Implemented to Eliminate the Breach in Future
Following the incident involving Adobe Creative Cloud being exposed to potential hackers, the company responded when Diachenko realized its database was exposed. The organization’s officials decided to shut down the database to prevent public access on the same day the breach occurred (Wingard, 2021). In a statement, the corporation confirmed that they discovered the leak in its prototype environment and addressed the situation by limiting the customers from accessing the misconfigured model in an attempt to lessen vulnerability (Wingard, 2021). Moreover, the software giant also revealed that the incident did not affect any of its core product offerings. The company reviewed its development processes to prevent the same issue from happening in the future.
Recommendations
Several strategies and improvements can address Adobe cybersecurity problems. Following the computer-generated breach where 7.5 million customers were affected, several aspects of the company’s management were highlighted (Wingard, 2021). It was a reminder of the incident which happened in 2013 where 38 million customers were affected when usernames and passcodes were stolen (Wingard, 2021). The World Economic Forum has informed IT experts that computer security techniques should match the rate of technological transformations without which the threats may cost as much as ninety trillion United States Dollars by 2030 (Wingard, 2021). Irrespective of these dire projections, numerous enterprises are failing to adjust. More than 69% of the workforce feel their employer’s cybersecurity method is “responsive and episode-driven” (Wingard, 2021). As a result, Adobe should consider incorporating the following strategies.
Improving Security Team
Having the most competent and skillful employees working in an organization’s cybersecurity department is vital in the combat against computer crimes. If a business is not among the enterprises which have recruited an adequate workforce, it should do so instantly. Adobe should therefore realize that the most significant position in this team is the chief information security officer (CISO), and surprisingly, 38% of the Fortune 500 organizations do not have (Wingard, 2021). Apart from the CISO position, Adobe should also introduce a particular incident response team that unites members from various units in the company. Although this approach will not minimize breaches, it reduces their severity. A report suggests that businesses that have an IR-group respond quicker and save substantial costs in the process (Ihsan and Bintarsari, 2021). In essence, Adobe will have a better chance of managing such occurrence with the introduction of a CISO position and IR-team.
Nurturing a “Security Culture”
Digital awareness and customs play a vital role in eradicating cybersecurity threats. Although some managers might deem outside forces to be a considerable threat, a report from IBM shows that 29% of attacks involved phishing, and 43% were associated with the incorrect configuration of cloud servers in 2018 (Wingard, 2021). Therefore, the first initiative towards creating a security culture is investing in awareness programs that will inform the employees of cybersecurity threats. Not only does education raise awareness, but it also reminds the entire organization that cybersecurity is a shared responsibility.
Encouraging Communication
Lack of effective communication can also act as a driver to computer-related crimes. Adobe should create an environment that integrates its security team with its strategic leadership. For a business’ online security program to be effective, this disconnected approach will not be sufficient. Executive headship needs to ensure security efforts – and not only in the event of a breach episode (Wingard, 2021). As technology progresses, cybersecurity approaches should also advance. Therefore, for Adobe to avoid future breaches, it should take proactive measures to establish cyber resilience.
Conclusion
This paper has explored Adobe’s data breach, which occurred in 2019. The event did not come with significant losses, but it exposed the company’s database to potential threats of phishing. From this case study, managers learn that cybersecurity is a vital aspect of organizational management in the contemporary world. Therefore, in the face of several digital threats, a business’ leadership should take some measures to ensure that the employees are conversant with computer-related risks. Nurturing a “security culture” is imperative for any enterprise because it creates awareness of these threats. Moreover, improving a corporation’s security team equips them with relevant knowledge and skills to handle instances of data breaches. Lastly, encouraging communication is crucial for integrating every organizational department for a shared responsibility towards cyber threats. In essence, while technology continues to develop, organizations should continuously invest in research and development to find innovative techniques and strategies for approaching computer-related risks.
Reference List
Cabaj, K. et al. (2018) ‘Cybersecurity education: evolution of the discipline and analysis of master programs,’ Computers & Security, 75, pp. 24-35.
Cheng, L., Liu, F. and Yao, D. (2017) ‘Enterprise data breach: causes, challenges, prevention, and future directions,’ Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery, 7(5), p. e1211.
Donalds, C. and Osei-Bryson, K.-M. (2019) ‘Toward a cybercrime classification ontology: A knowledge-based approach,’ Computers in Human Behavior, 92, pp. 403-418.
Ihsan, F. and Bintarsari, N. K. (2021) ‘Internet Governance Forum Analysis on Artificial Intelligence in Cyber Security,’ Insignia: Journal of International Relations, pp. 32-47. Web.
Parrish, A. et al, (2018) ‘Global perspectives on cybersecurity education for 2030: a case for a meta-discipline’, in Proceedings Companion of the 23rd annual ACM conference on innovation and technology in computer science education, pp. 36-54.
Wingard, J. (2021) ‘Adobe’s cyber woes. How leaders can create security resilience’, Forbes.