The Creative Cloud Chronicles: Adobe and the NSA

By Chris Dickman
Founding Editor,

More Creative Cloud Chronicles

What is it about entities, whether private companies or government agencies, and their attitude about how they manage your data? Recent revelations have clearly indicated that the NSA, for example, felt no compunction in inhaling just about every personal bit or byte it could find online and then did with that just what it saw fit. And when questioned about its practices, it circled the wagons. Okay, that's a hush-hush government agency, you can expect that. But what about a private corporation to which you, as a customer, have provided personal data that includes financial data, such as credit card information? When questioned, you would expect transparency, would you not?

That's not a word that can be associated with Adobe's recent loss of the data of 2.9 million of its customers, including credit card details. And I speak from personal experience. Last week I received, as I'm sure did many of you, an email from Adobe indicating that it had reset the passwords for two of my accounts. As you can imagine, I've been purchasing Adobe products since the Clinton era, so I had no idea what cards had been used for all of these over the years. So I duly changed the passwords for both of the accounts, just to make sure, and then logged in. But imagine my surprise when I discovered the absence of the usual four-digit number identifying what cards had been used for these purchases. Rather than cancel every single card in my possession, I headed over to the forum that Adobe set up recently that is dedicated to the security breach and posted what I thought was a simple enough question: how do I determine what cards were used for my purchases?

This was days ago and while the thread grew to dominate the forum, with others chiming in with a similar request, an answer from Adobe was never forthcoming. Some customers, it seems, can see this data for some of their purchases. Others, like me, not. But Adobe will not acknowledge this, just as it won't respond to questions about the encryption employed for its customers' data. Salted, not-salted, plain text? We'll never know, it would seem.

At one point a moderator volunteered his opinion that "It doesn't appear that your credit card was affected." I appreciate the subtle use of language in which "doesn't appear" in no way is the same as saying "hasn't been." Pursuing this further, I finally received a private message by another Adobe employee telling me exactly what I needed to know — which cards had been used for which purchases.

Do I feel reassured? No. Do you?

Just a note in closing. As a result of the revelations, NSA Director James Clapper has repeatedly made public statements (convincing or not) about the operations of the agency. Following the news of the breach of security of its customers data and the theft of the Cold Fusion source code that powers many government and financial sites (including the NSA!), as well as the code for Acrobat and other undisclosed applications, Adobe CEO Shantanu Narayen is on record as saying... well, you fill in the blanks.

In a 10-Q filing last Thursday, Adobe did refer briefly to the intrusion: “We do not believe that the attacks will have a material adverse impact on our business or financial results. It is possible, nevertheless, that this incident could have various adverse effects.”

I wonder what those might be?