Adobe disagreed. In a filing with the SEC on Oct. 3, the same day it revealed the network break-in, the company acknowledged the breach but said, "At this time, we do not believe that the attacks will have a material adverse impact on our business or financial results." Not surprisingly, the company also included a caveat, adding, "It is possible, nevertheless, that this incident could have various adverse effects on us."
Other experts were skeptical that the cyber criminals targeted Adobe for its credit card treasure chest.
"The likely aspiration here was more about the fact that Adobe has long been a target, and its products have been very heavily attacked," said Lawrence Pingree of Gartner. "I think they were literally fishing for data and stumbled upon the credit cards. Hackers usually don't know for sure where they'll find data."
Pingree speculated that the probable motivation for breaching Adobe's network was to pilfer account usernames and passwords, not credit cards.
His bet rested on the practice of many users to recycle passwords and even usernames for multiple accounts, including Web email. Armed with the Adobe usernames and passwords -- the company explicitly said only the latter were encrypted -- hackers could either sell those to others or exploit them themselves if they managed to decrypt the passwords.
"Because email is used to reset passwords at banks, usernames and passwords are a treasure trove," said Pingree. "If I can compromise email I can get to almost any service."
Including access to banking online. Equipped with automated tools that ping multiple banks with the purloined username and password, hackers can quickly search for matches, then when one is found, rapidly empty a bank account by wiring funds to their own overseas accounts.
Pingree thought the username/password data was a more lucrative target than credit cards because of the latter industry's sophisticated fraud detection. "The automation deployed by credit card companies understand use patterns of transactions; it's more useful for the bad guys to transfer money out of [bank] accounts."
Chet Wisnieswki, a security researcher with U.K.-based security firm Sophos, faulted Adobe for not encrypting all non-credit card data. "How come you didn't encrypt my birthdate?" asked Wisnieswki rhetorically. "Why encrypt only those things that were required by PCI [the security standard for organizations that handle cardholder information]? My birthdate is part of my identity, too.
"I'm not really on the hook for a stolen credit card," Wisnieswki continued. "But I'm much more concerned about the personal data, about someone using that to get five more credit cards in my name."
But whether or not the attackers targeted Adobe for the credit cards, the fact they did make off with millions is a black eye for the company and its subscription model, the experts agreed.
Adobe recognized that. In the Oct. 3 filing with the SEC, Adobe used stock language to define the risks of a breach, saying one could open the company to litigation and "damage our reputation, result in the loss of customers and harm our business."
Because other companies with far more credit cards -- the analysts cited Amazon as an example, PayPal too -- have not been breached, or at least have not admitted one, the experts contrasted those firms' practices with Adobe's as they reached for an explanation of the latter's failure.
"Companies that grew up in the cloud or e-commerce know that their crown jewels are the customer billing data, so from day one they protected that," said Pescatore. Companies that have shifted from being a software seller to a subscription provider, Pescatore said, don't have that in their DNA. Yet.