“Under a multistate agreement today, Adobe will pay $1 million to North Carolina and 14 other states and implement new policies and practices to prevent similar breaches,” read a press release issued by North Carolina’s Department of Justice.In September 2013, an attacker gained access to one of Adobe’s servers, stealing encrypted payment card numbers; expiration dates; names; addresses; telephone numbers; emails; and usernames; as well as other data. At the time, Adobe notified more than 3 million users whose credit card data was stolen and an additional 33 million whose credentials were compromised. In North Carolina alone, Attorney General Roy Cooper said more than 50,000 residents were affected by the breach. The participating states said the fine penalized the company for not adopting reasonable security measures to protect its systems from an attacker or having proper measures in place to immediately detect the attack, the press release noted. Other states in the settlement included: Arkansas, Connecticut, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Missouri, Mississippi, Ohio, Oregon, Pennsylvania and Vermont.
“Consumers who entrust a company with their personal data should have that trust respected,” said Massachusetts Attorney General Maura Healey in a statement.“Adobe put consumers’ personal data at risk of being compromised by a data breach, and that is unacceptable. This settlement will put in place important new practices to ensure that breach like this does not happen again,” added Healey.