Vulnerability Management

Adobe Breach & Public Libraries: When DRM Attacks

We are a few weeks into the Adobe data breach and have seen the risks that it poses, however many think this breach only affects people who have purchased Adobe software. However, this is not the case. I was recently interviewed by a local news station regarding how the breach may affect anyone who may have checked out an eBook from public libraries.

One of the particularly interesting factors in this breach is the number of accounts that were affected. Currently there are roughly 130 million accounts that were compromised. How can this number be so high, does Adobe really have that many customers?

From the data at hand it appears that actually only 3 million of the accounts were actual paying customers as their encrypted credit card numbers were collected as part of the data  breach. So where do the other 127 million accounts come from?

One key source I believe is the result of Adobe’s Digital Rights Management (DRM). Doing some research I found that one of the key users of Adobe DRM is a company called OverDrive.

OverDrive currently provides DRM and digital distribution of eBooks for 22,000 libraries, schools and colleges with over 1 million titles from 2,000 publishers. Now the rub: In order to utilize their distribution services to check out an eBook from a participating library requires and Adobe ID.

Want to use your Kindle to check out an eBook from the local public library? Sure, but you will have to create an Adobe ID to do so, in addition to providing your library card number. Even employees of libraries are affected with 215 employees of the New York Public Library affected and 72 at the San Francisco Public Library.

Adobe DRM

It seems a bit of an odd twist that a company that has built technology to protect the rights of publishers, failed so to protect it’s users. The fact that an Adobe ID is required in order to check out an eBook from a public library, you would think there would be some oversight or security standards in place for it’s use. There were none that I could find. It appears that libraries simply trust that Adobe was properly securing these credentials.

With this in mind it makes me wonder how the records of what books we check out are secured. Every time you check out an eBook it appears there is a record kept by both the library as well as Adobe. There is also a record of the devices being used with unique identifiers.

Libraries have to comply with providing law enforcement with records when requested along with a subpoena or other legal order for records is made. But what if that records is not a library record, but one housed  by a third party corporation?

What if this information were to be breached just as the Adobe user database was? At this point the data would be considered “open source” and fair game for law enforcement and those with malicious intent alike without you knowing or consenting.

The books we read can sometimes tell a lot more about a person than their social media accounts. If there is such a breach, I would just like to state for the record that I checked out 50 Shades of Grey for research.

Related Articles:


P.S. Have you met John Powers, supernatural CISO?


Title image courtesy of ShutterStock

Previous post

Adobe Breach Compromised 234,379 Military and Government Accounts

Next post

Online Dating Service Cupid Media Hack Exposes 42 Million Unencrypted Passwords

Ken Westin

Ken Westin

Your Pundit of Paranoia