This issue, and from what I'm seeing is shared by lot of others as well, has lead to a petition to the US gov. demanding corporations that have databases hacked to inform every individual that their personal info was stolen and not just offer some blanket email alert to change an account password.
It just that Krebs report is the first I've heard of what I linked above and Krebs himself. I've been quite busy this morning seeing how many other ways ID has accidentally or intentionally been released.
Krebs is a bit like the Michael Reichman of IT Security issues impacting customers. He's very well connected, understands the details and the overall impact of info he receives and his thoughts are extremely valuable.
As far as laws are concerned, there are laws in many places nowadays, one of the first was California. Discussed here when it was announced (
http://www.securityfocus.com/news/1984).
Leaving aside the fact that a large batch of hash passwords is roughly 85% as useful as a batch of plain text to competent hackers, we have to take into account that Adobe itself doesn't necessary knows and will not necessarily know what happened. The standard semi-reassuring but vague language of the initial release, which I commented a bit in another post, made that clear.
A typical incident often evolves like this
Credit Card companies identify a pattern in frauds. That pattern points to people who have been customer of company X or store Y. Credit Card contacts X and Y. They are unaware they have been compromised and start an investigation at that point. Potential breach sources are identified and examined. Depending on the logging available, on how well the forensic aspects were handled, on how competent the hackers were, this can take a long time and yield partial results. And, while in practice investigations do complete, there's still the lingering doubt of having missed something. It's not easy to see where the line has to be drawn. Even if it wanted to (which is doubtful given the initial details) there isn't a single moment where one can say "we have everything, we disclose everything, case closed".
Last but not least, replacing 38.000.000 credit cards has a cost. There will be a cost vs risk analysis at the bank and CC level. In the late 90s, the RSA factors of the French bank cards were compromised: in practice, that meant that people could withdraw cash with phantom cards. Banks and IT security specialists were aware of it, quite a few hackers as well. But changing the system for that single reason was seen as too expensive and a "fix as you go" plan was put in place. It lasted for years...