By Jon Callas
A couple weeks ago Brian Krebs announced that Adobe had a serious breach, of customer data as well as source code for a number of its software products. Nicole Perlroth of The New York Times updated that to say that the breach appears to be much bigger than thought and, indeed, Krebs agrees. Adobe themselves announced it first, earlier than Krebs’s first report in CSO Brad Arkin’s terse blog post, Illegal Access to Adobe Source Code.
By now, breaches are hardly news at all. All of us pros flat out say that it isn’t a matter of *if* you get hacked, but *when*. Adobe’s is of note solely because of the way that the news has dribbled out. First, the “illegal access” to source code, then the news of lost customer data to the tune of 2.9 million, then upping that to 38 million, but really actually (maybe?) 150 million. The larger number is expired accounts—or something.
Adobe spokesperson Heather Edell said that the 38 million accounts are *active* accounts, and that weasel word seems to explain the rest. They have reset the passwords of the inactive accounts, but personally I’d prefer that they delete them. Adobe has had the usual response of buying free credit monitoring for the hacked *active* accounts. I sympathize with not getting credit reporting for the inactive accounts as these people aren’t at present customers.
Nonetheless, this is one of the problems of Big Data. Disks are cheap and getting cheaper, so people don’t delete. Privacy management often means data minimization. If someone’s account goes inactive, eventually the inactive account should be deleted. It’s a slight inconvenience to the inactive customer should they become active, but there is risk to holding inactive user data.
California’s breach disclosure law, SB 1386, doesn’t differentiate between active and inactive customers. It says that if you hold someone else’s personal data, then certain things need to happen in the event of a breach. Strictly speaking if Adobe is doing some things for active users, it needs to do them for inactive users, too. That doesn’t have to go as far as free credit reporting, but it does include the legal mandate in SB 1386.
It ought to include deleting the inactive accounts. Despite the estranged customer/supplier relationships, they lost the the personal data of 112 million people that they’re apparently not doing anything for, despite their legal obligations. I don’t think it has to be overblown. A simple email to the inactive accounts explaining that the breach happened and the inactive account has been deleted would work.
Adobe is becoming a network-oriented software supplier. There are a lot of good reasons for that, and this shift is pretty much what customers expect these days. We don’t want software in boxes. They are expensive and we just throw them away. Much better to get software from a download. It is good for them and good for us customers. But they have to recognize the liability, as well, and that is that when there’s a breach, they have to treat all accounts the same.
Financially as well as for the good of privacy, old accounts need to be timed out and deleted.
This post originally appeared on O’Reilly Programming (“How Secure is Your Old and Inactive User Data?“). It’s republished with permission.