Adobe on Thursday admitted that hackers broke into its network and stole personal information, including an estimated 2.9 million credit cards, illustrating the lucrative target that software-by-subscription providers have become to cyber criminals, analysts said today.
"Even before they went to the cloud, bill-you-monthly firms have been a target," said John Pescatore, director of emerging security trends at the SANS Institute, and formerly a Gartner analyst focused on security. "This has been an issue for [Web] hosting providers for years. There are two reasons why. First, they have a trove of credit cards. And second, you know that the cards are good."
Adobe, long a powerhouse in the software industry, has been aggressively promoting Creative Cloud, its software-by-subscription offering, a shift it hopes will "transform our business model and drive higher revenue growth," according to a filing with the U.S. Securities and Exchange Commission (SEC) earlier this year.
Like all software-as-a-service (SaaS), Creative Cloud relies on recurring payments — monthly or annually — which for most customers, means providing a credit card. The provider stores that card information so it can charge the customer without sending a traditional bill, and most importantly, waiting for payment.
And those credit cards are valuable to hackers. "The stolen credit card numbers alone could be worth up to $30 million on the black market," said Rajesh Ramanand, the CEO of Signifyd, a Santa Clara, Calif. fraud protection firm, in an email about the Adobe breach.
Adobe isn't the only software maker that's trying to migrate from packaged software sold as with a perpetual license to rental-like subscriptions that must be paid regularly. Microsoft, for example, is working hard to convince customers to adopt its Office 365 subscription service.
SaaS numbers — of subs and thus credit cards — have grown significantly at both Adobe and Microsoft, to use two examples. Last month, Adobe said Creative Cloud had 1.03 million subscribers, well on the way toward an end-of-year target of 1.25 million. Also in September, Microsoft said its Office 365 Home Premium — the version aimed at consumers that requires handing Microsoft a credit card — had 2 million subscribers, up 100% from a touted 1 million in May.
And the breach will cost Adobe millions in notification and protection costs, as it's promised to reach out to affected customers and provide them with a free year of credit monitoring. "This will cost them $100 per user," said Pescatore, which would mean an expense of almost $300 million.
Adobe disagreed. In a filing with the SEC on Oct. 3, the same day it revealed the network break-in, the company acknowledged the breach but said, "At this time, we do not believe that the attacks will have a material adverse impact on our business or financial results." Not surprisingly, the company also included a caveat, adding, "It is possible, nevertheless, that this incident could have various adverse effects on us."
Sign up for CIO Asia eNewsletters.