Adobe announced today that there was an unauthorized access to Customer information as well as access to the source code of their products. And, while it’s unfortunate that Adobe has to make this announcement, it’s also not surprising.
If you look at the way most Enterprises do business, they will apply Capital towards investments in their Products or Services because they want to focus on increasing market share resulting in an increase in profits. But that same reasoning means that any expenditure on non-core business activities tends to be reduced as much as possible since these are costs to the bottom line. And, unfortunately, Security is seen as exactly that – a cost to the bottom line.
In the case of Adobe, though, they haven’t changed their view of what their Product or Service is. Because they have shifted their business model to include the sales of their Product directly, they have changed from a Software Developer to a Retailer. So they no longer need to just deal with making sure their Software is vulnerability free, they also have to make sure their customer’s experience is safe and secure. Today’s announcement shows that is not the case and, as a result, their reputation is damaged and will cause a cost to them.
One aspect that I’m not sure has been paid enough attention to at the time of this writing, though, is the fact that the attack also accessed their source code. If you were to look at other attacks of companies such as RSA and Telvent, the attackers gained access to the source code of their products in order to develop a unique Zero Day Attack. Because of how pervasive Adobe’s products are in businesses, I’m wondering if this is a precursor of another attack on another company by making use of an otherwise unknown vulnerability in an Adobe product. That would make the release of customer information, while disappointing, potentially a secondary issue.
Unfortunately, this situation is becoming the norm with Enterprises and isn’t surprising.