Adobe breached Privacy Act leaving 38 million customers exposed

Adobe has agreed to allow an independent auditor to ensure it has taken sufficient to harden its systems following a cyber attack that left 38 million of its customers exposed to fraud in 2013.

Australian Privacy Commissioner Timothy Pilgrim yesterday revealed that he had requested the audit after revealing the findings of inter-governmental report that led him to conclude that the software company breached the Privacy Act.

Adobe had not responded to requests for comment on the findings by late yesterday but a spokeswoman for the Office of the Australian Information Commissioner (OAIC) confirmed that the software company had agreed to the measure.

The breach, which took place when Adobe left an obsolete server containing exposed to the internet for about three months, gave hackers access to a database containing massive amounts of sensitive information belonging to its Australian customers.

It included email addresses, encrypted passwords and plain text password hints, and in about 135,000 cases encrypted card numbers and other payment information. Overall, the breach impacted 1.7 million Australians.

Mr Pilgrim found that the company breach of national privacy principles in force at the time of the attack that required that “an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure”.

Mr Pilgrim said in a statement yesterday that Adobe “generally” takes a sophisticated approach to protecting its IT systems. “However,” he added “I was particularly concerned about the way in which Adobe protected its customers’ email addresses and associated passwords in the compromised system”.

The OAIC conducted its investigation of the incident in cooperation with the Data Protection Commissioner of Ireland and the Office of the Privacy Commissioner of Canada.

The commissioner was particularly critical of Adobe’s approach to encrypting the data following its investigation.

It found that the passwords stored in the database were encrypted using a single key rather than individually in a process known as “salting and hashing”.

“Hashing and salting is a basic security step that Adobe could reasonably have implemented to better protect the passwords in its backup system. Adobe also stored customer ‘password hints’ in plain text rather than in an encrypted format, further exposing its customers’ passwords to risk,” the OAIC concluded in its report.

It also found that the methods that Adobe used allowed attackers to infer when customers were using common passwords such as “123456”.

Mr Pilgrim asked Adobe to provide the government with a copy of the auditor’s report by 30 June 2015.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags Timothy Pilgrimprivacy actauditOffice of the Australian Information Commissioner (OAIC)cyber attackadobeprivacy commissioner

More about CSOEnex TestLabTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Andrew Colley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts