How many of you got this letter from Adobe? What’s really funny is that its signed by Chief Security Officer Brad Arkin. I wonder if he is still Chief Security Officer. Considering that source code for some Adobe apps was compromised as well as the personal data and some credit card information for 38 million people I don’t see how Brad can keep his job.
Its also funny how that number jumped from 3 million to 38 million. Crisis management at its best. Adobe knows that the initial report would be a bigger news story and that a correction a few weeks later would be treated as old news.
Remember when BP initially stated 5,000 barrels of oil leaking per day but the estimate was readjusted to 62,000 barrels per day a few weeks later? Crisis management …
My wife and I own a small retail store here in NJ (If anyone needs infant or children’s clothing let me know!!). We take credit cards as payment all the time. When choosing a merchant service processing company (these are the guys that handle the credit card transactions), many times you are forced to become PCI compliant. This means that your credit card terminal is secure. It means that the computer you use to process credit card transactions is secure. Its one of the reasons we changed our POS system from Quickbooks POS on the PC to LIghtspeed POS on the Mac. There are too many viruses and keyloggers and trojans on the PC still. Security on Windows machines is still terrible and requires way too much maintenance. The banks want to know that your terminals can’t be hacked into from outside sources. They want assurances that the credit card data is safe. They want to know that the credit card receipts aren’t printing full credit card numbers. Often times the merchant service company will use third party companies to “attack” your processing terminal to see if the security measures in place can be breached. Having this done on a consistent basis keeps you PCI compliant and shields you from fines and fees from the bank if credit card data from your store is somehow compromised. Of course there are monthly fees for PCI compliance monitoring. Its basically an insurance plan for credit card data.
The same thing applies to the web. We are currently in the process of setting up an online shopping cart for our retail store. Again the merchant service companies want assurances that the shopping cart software we use will be PCI compliant. They also want to know if the hosting company servers are PCI compliant. It falls on each merchant to make sure that their little corner of cyberspace is hack proof. It doesn’t matter that I really have no control of the hardware or software that sits on hosting company’s servers. The hosting company doesn’t even have to prove PCI compliance. It’s all on the merchant. My website and the server it sits on has to withstand “attacks” from a third party company to prove PCI compliance. If it fails an attack then my company is responsible if any credit card data is compromised until I can prove that changes have been made to guarantee PCI compliance.
There is no government regulation on this. Basically the card issuing banks are making the rules. The PCI compliance companies are setting the security standards. The issuing banks are also setting the fines. The fines are huge. If a breech happens then the banks have to reissue cards, change security preferences, recoup lost dollars, etc.
Because of Adobe’s lack of security I now have to spend at least a day double-checking all my logins that share the same password with my Adobe account. (Thank goodness for 1Password). I do have many different passwords for many different accounts but I still have to do my due diligence. I also have to sign up for a credit monitoring service. Adobe was kind enough to get me a free monitoring account for a year with Experian, but I still have to spend time babysitting this process for the next year. As if the entire episode wan’t funny enough, to sign up for Experian you have to fork over all of your personal information. I didn’t even get past the first page because I don’t like blindly handing over my info. I’m sure at some point during the sign up process they are going ask for my Social Security number. And you know that when that first year ends Experian is not going to leave me alone. And if I decide to cancel after the first year I’d bet they hold on to all my info. (Someone form Experian please tell me I’m wrong)
My question is what is Adobe’s responsibility here? Who takes the fall for this? What is their fine? Why does all the work that results from this breach my responsibility?
Even better, why am I paying a subscription fee for software?Why does my credit card information need to be kept on file by a SOFTWARE company?
FCPX, Motion 5, Aperture and Pixelmator are looking better and better every day. Come December, when the new Mac Pros start to ship, I’m going to start “thinking different” again. FCPX is definitely starting to pickup steam. I have colleagues that absolutely LOVE it. Pilexmator 3 has just been released to rave reviews. LIghtroom hasn’t wowed me. I’m still pining for a new Version of Aperture but this might be my first and easiest switch. After Effects will be the hardest one to replace and it might not be possible. Motion might suffice for all the work I do at home but too many of my clients require Ae.
I don’t know if the alternative solutions will be suitable replacements, and I might still be stuck with Adobe and the CC after the dust settles. Between the subscription pricing and breach of trust I owe it to myself to look at the other options available.
I know a lot who feel the same way …
Tech Thanksgiving 2013