2.9 mn Adobe accounts compromised; investigations still on

Information removed includes customer names, encrypted credit or debit card numbers, expiration dates and other information relating to customer orders

US-based Adobe Systems, which sells Photoshop and Acrobat software, today said it has faced two attacks from cyber criminals who have stolen credit card data of 2.9 million customers.

The California-headquartered firm said its security team discovered sophisticated attacks involving illegal access of customer information and source code of many Adobe products.

Its products are used by film and video makers, web and graphic designers, creative professionals, professional publishers, enterprises and individual consumers. The products are widely used on the Internet, including reading and viewing of documents.

Adobe, however, did not reveal the geographies where the accounts have been compromised. It has office locations in about 34 countries across North America, Asia, Australia and New Zealand, Europe, Middle East, Africa and South America.

When contacted about the number of affected customers in geographies, including India, a Adobe spokesperson told PTI: "We are not commenting on country-specific information at this time."

It has a significant presence in India with R&D offices in Bangalore and Noida and sales offices in Bangalore, Noida and Mumbai. The company employs over 2,000 people in India of its global headcount of more than 11,000 employees.

Without revealing details of affected countries, Adobe's FAQ section on geographies involved in the cyber attack said: "Adobe customers worldwide provide us with account information, so we are taking the precaution of resetting relevant customer passwords and notifying any customers who have provided us with their credit or debit card information."

On the attack, Adobe said investigations are continuing, which also includes the nature and scope of the intrusion.

Adobe website said: "Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems.

"We also believe attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders."

The company further said: "At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems.

"We are also investigating illegal access to source code of numerous Adobe products. Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident."

Adobe will compensate its customers in the US with option of enrolling in a one-year complimentary credit monitoring membership, while, no such offer has been announced for any other geography.

About half of Adobe's annual revenues comes from outside the US. It clocked revenues of over USD 4 billion in 2012.

Adobe said it is working internally and with external partners. It has also alerted banks processing its payments to help protect customer accounts and is working with federal law enforcement on the related investigation.