Adobe failed to adequately protect customer information from hackers, the Privacy Commissioner, Timothy Pilgrim, has found.
In late 2013 Adobe discovered that its network had be breached by hackers. The attack affected approximately 38 million Adobe customers globally, including 1.7 million Australians.
Hackers stole personal information including 2.9 million credit cards.
The personal information compromised in the attack was held on a backup system that was decommissioned. The information included email addresses, encrypted passwords, plain text password hints, encrypted payment card numbers and payment card expiration dates.
A statement issued today by Pilgrim said that Adobe “failed to take reasonable steps” to protect all of the personal information it held.
“The Privacy Act does not require an organisation to design impenetrable systems; however, this case demonstrates the importance of organisations applying sufficiently robust security measures consistently across systems,” he said.
According to Pilgrim, Adobe generally takes a sophisticated and layered approach to information security. However, he was concerned about the way in which Adobe protected its customers’ email addresses and associated passwords in the compromised system.
“The type of encryption that Adobe used for the customer passwords stored in its backup system, together with password hints stored in plain text, allowed security experts to identify the most common passwords and the customer accounts associated with those passwords,” said Pilgrim.
Adobe has been asked to hire an independent auditor to certify that it has implemented the planned remediation. The vendor will need to provide Pilgrim with a copy of the certification and auditor report by 30 June 2015.
Because the breach occurred before 12 March 2014 when the Australian Privacy Principles came into law, the Privacy Commissioner’s powers to resolve the investigation were limited to making recommendations.
“We value the trust of our customers and have been working aggressively to prevent these types of events from occurring in the future,” an Adobe spokesperson said.
Follow Hamish Barwick on Twitter: @HamishBarwick