The Office of the Australian Information Commissioner (OAIC), concluded that Adobe failed to take reasonable steps to protect customer information stored in its servers when suffering a data breach in 2013. The stolen customer database resulting in the breach of user privacy included email addresses, payment data, password hints, customer names and physical addresses. The OAIC also determined that:
- 8 million Australian Adobe customers’ (active and inactive) account details were stolen with an active current password.
- A further 218,000 Australian accounts had an obsolete password.
- Payment details that were encrypted and stored were stolen from a further 135,000 Australian users.
- On a global level, 38 million global users’ data was made vulnerable due to the breach.
The Global Hack.
The hack occurred when attackers targeted a backup server that was due to be stripped and decommissioned. The server had customer’s passwords and payment data that was encrypted in the way it was stored. However, Digital Forensic analysis helped in understanding the attack where the report highlighted Adobe’s use of a single block cipher that was in use through the entire database. This meant that identical passwords with the same cipher text were grouped together.
- 2 million users who were victims of the breach were using the password ‘123456’ as their account password, making it easier for hackers to exploit.
Highlighting the above redundant security measures, the report read, “This data breach demonstrates the importance of designing an information security system with multiple levels of protections, checks, and balances, and for organizations to ensure that sufficiently robust security measures are applied consistently across all systems.”
Strikingly, it went on to read say, “”Given the resources available to Adobe to implement robust security measures consistently across all its systems, and the consequences for individuals if the data on the old servers was compromised, the commissioner found that Adobe breached NPP 4 [National Privacy Principles].”
For its part, Adobe immediately decommissioned the compromised data server and detached the server from its network. Prudently, the company also notified affected customers via email, instructing users to reset and change their passwords. Passwords hints were discontinued altogether.
“I am satisfied that the measures that Adobe took in response to the data breach (Data breach response) will assist it to significantly strengthen its privacy framework and meet its obligations under the Privacy Act,” Australian Privacy Commissioner Timothy Pilgrim said in a statement.
Adobe has already taken steps to limit such attacks in the future. Two-factor identification, vulnerability scanning and annual security audits are of the norm now, along with stringent security measures included to ensure the safety of customer data and payment information.