Adobe security failure of the DAY: 160K SSNs exposed
Yesterday I wrote about Adobe's latest security nightmare, this time involving web development environment ColdFusion. I also stressed that while aware of the problem, the company didn't plan a fix until May 14, during its next monthly patch release. For the Washington state court, this is not soon enough.
A ColdFusion vulnerability exposed 160,000 Social Security numbers and the driver’s license numbers and names of a million people. Before hitting the panic button, realize that if you have had no legal issues then you are likely safe.
Social security numbers of those booked into a city or county jail in the state of Washington between September 2011 and December 2012 are compromised. Likewise are the drivers license numbers of anyone who received a DUI citation in Washington State between 1989 and 2011, had a traffic case in Washington State filed or resolved in a district or municipal court between 2011 and 2012 or had a superior court criminal case in Washington State filed against them or resolved between 2011 and 2012.
The court discovered the breaches in late February, but waited to issue a statement, warning those who may have compromised information:
Once the breach was discovered, AOC took immediate action to further secure the environment and begin investigation and analysis into the depth and severity of the breach. In addition, AOC collaborated with the Washington State Consolidated Technology Services (CTS) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) for internet security, who provided valuable information in determining the scope of this security breach. MS-ISAC is a focal point for cyber threat prevention, protection, response and recovery for the nation's state, local, territorial and tribal governments. The MS-ISAC 24x7 cyber security operations center provides real-time network monitoring, early cyber threat warnings and advisories, vulnerability identification, and mitigation and incident response.
The court stresses that no financial data was obtained and that it has "implemented significant security enhancements to ensure that our systems and data are secure and to prevent the potential for future compromise".
As for Adobe? The company will get around to fixing this latest problem next week, along with the PDF flaw that is being utilized in the wild to compromise your Reader app -- the one you should not be using.