Adobe Breach Update Leads RoundupFar More Customers Affected Than Originally Reported
In this week's breach roundup, Adobe is reporting that a breach it experienced in early October affected far more customers than originally estimated. Also, Allina Health in Minnesota is notifying almost 4,000 patients of a breach, and British authorities have issued a fine in a case involving children with special educational needs.
Adobe Breach Impact Grows
Adobe is reporting that a breach it experienced in early October affected more than 38 million customer accounts, far more than original estimates.
The company disclosed its increased tally of the number of impacted customers on Oct. 29, according to Reuters. In its original report, Adobe said that 2.9 million customers were affected [see: Attackers Accessed Customer Data, Product Source Code].
According to an Adobe spokesperson, approximately 38 million active users had their IDs and encrypted passwords exposed. Customer order details, including credit card information, for 2.9 million customers were impacted.
The company notified the customers that their personal information, including encrypted payment card numbers, were compromised when the company's network was breached by unidentified intruders. Source code for numerous products was also illegally accessed, Adobe confirmed in a blog.
The company said the attackers accessed customer IDs and encrypted passwords on its systems. The attackers also removed certain customer information, including names, encrypted credit or debit card numbers, card expiration dates and other information relating to customer orders, said Brad Arkin, chief security officer at Adobe.
Adobe was also investigating the illegal access of source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products by an unauthorized third party.
Allina Health Reports Incident
Allina Health, a healthcare network based in Minneapolis, Minn., is notifying 3,800 patients that their information was "unnecessarily" accessed by a certified medical assistant at a clinic.
The assistant accessed patients' electronic medical records outside of normal job duties between February 2010 and September 2013, Allina Health said in a notice posted to its website.
Information accessed included names, addresses, telephone numbers, dates of birth, clinical information, health insurance information and the last four digits of the patients' Social Security numbers.
There's no evidence to suggest that the information was used for financial gain, the notice said. The employee involved was terminated.
Allina is offering affected patients free credit monitoring for one year.
Fine in UK Breach Incident
The UK Information Commissioner's Office has fined the North East Lincolnshire Council Â£80,000 after an unencrypted USB drive containing sensitive information on 286 children with special educational needs went missing.
The council is the governing body for the Yorkshire and Humber region of England.
The USB drive has been missing since July 1, 2011, when it was left in a laptop at the council's offices by a special educational needs teacher, according to the ICO. When the teacher returned to the laptop, the memory stick was gone. It's never been recovered.
Information on the drive included details about mental and physical health problems and teaching requirements, the ICO said. The device also included dates of birth and, in some cases, home addresses.
The council had introduced a policy of encrypting portable devices in April 2011, but failed to ensure all memory sticks being used by staff were encrypted, according to the ICO.