Target Made Big Headlines, but Adobe Breach Was Scariest of 2013

Don't let Target's breach of 40 million payment cards overshadow a much scarier incident at Adobe in recent months.

The software company suffered a hack that affected up to 153 million Adobe accounts, an alarming uptick from early reports that pegged the breach's size at 2.9 million. And it gets worse from there.

"Adobe, with 150 million user names and 3 million records with card data, was the most notable breach of 2013. Most importantly, the source code to popular Adobe products was compromised, potentially paving the way for future breaches," says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.

With a source code, a fraudster can build a website or attack other sites, says Al Pascual, senior analyst of risk and fraud for Javelin Strategy & Research.

The Adobe breach also is significant because it highlights the need for banks, merchants and consumers to adopt better authentication methods that go beyond passwords, Pascual says.

"Everyone reuses passwords," Pascual says. "We use the same passwords to log into social networks, insurance and bank accounts because we don't want to go through the trouble of remembering these 12-digit passwords."

When passwords are compromised, criminals drop the list into mining software and run it through every account at financial institutions to determine if those credentials provide access, Pascual says.

"They do that for a reason — because it works," he says.

If the payments industry incorporated more encryption and banks, merchants and consumers backed away from passwords, payments would be much safer, Pascual says.

Still, the massive Target data breach served as an exclamation point of sorts for 2013, reminding everyone that much of how the current technology operates in U.S. payments can't stand up to technology of hackers.

The Target attack came just two weeks after JPMorgan Chase announced that 465,000 holders of prepaid cash cards might have had personal information accessed by hackers who breached the bank's network.

Prepaid cards remained a ripe target for fraudsters. In May, two prepaid card processors were named as the victims of a $45 million ATM cash-out scheme.

The intensity of cyberattacks could not be lost on those paying attention. The global threat came to the forefront in July when U.S. prosecutors indicted four Russians and a Ukrainian, accusing them of a massive hacking and data breach scheme that involved 160 million credit card numbers and hefty ATM withdrawals.

Even new payment systems found themselves in fraudsters' crosshairs. Citibike, the Citigroup-sponsored bike sharing program in New York City, launched this year and soon disclosed a breach of payment card data affecting credit card numbers of more than 1,000 account holders.

Virtual currency remained a prominent target. The Bitcoin community put security at the forefront after customers and vendors accused operators of the Sheep Marketplace website of stealing $40 million worth of bitcoin payments.

LivingSocial, Schnucks Markets and Genesco also made headlines for their involvement in data breaches and the legal and customer service consequences.

Despite all of these incidents, the Target breach will be top-of-mind in the industry for some time, Aite's Conroy says.

"Target was not the worst in terms of long-term implications, but it will certainly be the most prominent thanks to the size and the consumer impact," Conroy says. 

The breach highlights the fact that no merchant is immune, even the largest and most sophisticated. It also reinforces the importance of having controls in place to encrypt or tokenize sensitive data from the point of sale all the way up the processing chain, Conroy adds.

If consumers finally change their behavior with passwords and monitoring their accounts because of the Target breach, the industry would consider that a silver lining to the whole affair, Javelin's Pascual says.

"It won't change behaviors overall, but as a society I believe we are becoming more security conscious, and that's a good thing," Pascual says.