Adobe Systems reached a $1 million settlement with 15 states over a huge data breach suffered by the company in 2013.
Officials accused Adobe of failing to employ reasonable measures to protect customers’ personal information and promptly detect malicious activity within its network.
As a part of the settlement, Adobe agreed to implement new policies and practices to prevent similar breaches in the future.
The measures Adobe must take include effectively segregating payment card data from public-facing servers, using tokenization in payment processing, performing ongoing risk assessments and penetration testing, and providing security training to employees.
Adobe will pay the $1 million to attorneys general as designated by the Connecticut Attorney General’s Office, which led the investigation into the data breach.
Connecticut AG George Jepsen said his state will get $135,095.71, of which $25,000 will go to the Department of Consumer Protection’s consumer privacy protection guaranty and enforcement account, and the rest to the state’s General Fund.
The other states involved in the investigation include: Arkansas, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North Carolina, Ohio, Oregon, Pennsylvania and Vermont.
Adobe discovered its systems suffered compromise in September 2013, when it noticed a servers’ hard drive was nearly full. An investigation found unauthorized parties had been trying to decrypt encrypted customer payment card numbers.
Adobe said attackers managed to steal user information and source code, but claimed there was no evidence any unencrypted payment card numbers ended up exfiltrated. The breach affected 38 million Adobe customers and some reported more than 150 million records ended up compromised.