How secure is encrypted credit card data, really?

Adobe claims that only encrypted credit card data was compromised in the recent breach, but that doesn't necessarily mean the attackers can't access the information.

Adobe revealed last week that it was the victim of a sophisticated hack that exposed product source code, and sensitive data on about three million customers to attackers. Adobe assuaged concerns over stolen credit card data by pointing out that the data is encrypted. That's nice, but there's still a big difference between "encrypted" and "invulnerable".

Think of encryption like locking your front door. You can choose not to lock it. You can lock it with a simple, basic lock. You can also use a complex, very secure lock mechanism, and/or a layered defense that includes a deadbolt in addition to the standard lock. 

This article from Forbes describes a number of potential concerns that remain for Adobe customers in spite of the fact that the data was encrypted. Given the right tools, skills, and sufficient time, encryption can be broken. It really just depends on how complex the Adobe encryption is, and how dedicated the attackers are to cracking it. 

The actual credit card information is not the only thing at risk, either. As the Forbes article points out, there is a plethora of personally identifiable information that might be associated with a customer account that might not have been encrypted. An attacker may not be able to rack up charges on your card using that information, but the attacker can steal your identity and possibly open up new credit card accounts in your name.

Adobe is a great company with generally solid security practices. I think it's fair to give Adobe some benefit of the doubt regarding just how encrypted and secure the compromised data is. I'm just reiterating that there's no such thing as impenetrable encryption, so its prudent to take "the data is encrypted" platitudes with a grain of salt. 

Copyright © 2013 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022