Adobe has agreed to allow an independent auditor to ensure it has taken sufficient to harden its systems following a cyber attack that left 38 million of its customers exposed to fraud in 2013.
Australian Privacy Commissioner Timothy Pilgrim yesterday revealed that he had requested the audit after revealing the findings of inter-governmental report that led him to conclude that the software company breached the Privacy Act.
Adobe had not responded to requests for comment on the findings by late yesterday but a spokeswoman for the Office of the Australian Information Commissioner (OAIC) confirmed that the software company had agreed to the measure.
The breach, which took place when Adobe left an obsolete server containing exposed to the internet for about three months, gave hackers access to a database containing massive amounts of sensitive information belonging to its Australian customers.
It included email addresses, encrypted passwords and plain text password hints, and in about 135,000 cases encrypted card numbers and other payment information. Overall, the breach impacted 1.7 million Australians.
Mr Pilgrim found that the company breach of national privacy principles in force at the time of the attack that required that “an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure”.
Mr Pilgrim said in a statement yesterday that Adobe “generally” takes a sophisticated approach to protecting its IT systems. “However,” he added “I was particularly concerned about the way in which Adobe protected its customers’ email addresses and associated passwords in the compromised system”.
The OAIC conducted its investigation of the incident in cooperation with the Data Protection Commissioner of Ireland and the Office of the Privacy Commissioner of Canada.
The commissioner was particularly critical of Adobe’s approach to encrypting the data following its investigation.
It found that the passwords stored in the database were encrypted using a single key rather than individually in a process known as “salting and hashing”.
“Hashing and salting is a basic security step that Adobe could reasonably have implemented to better protect the passwords in its backup system. Adobe also stored customer ‘password hints’ in plain text rather than in an encrypted format, further exposing its customers’ passwords to risk,” the OAIC concluded in its report.
It also found that the methods that Adobe used allowed attackers to infer when customers were using common passwords such as “123456”.
Mr Pilgrim asked Adobe to provide the government with a copy of the auditor’s report by 30 June 2015.
This article is brought to you by Enex TestLab, content directors for CSO Australia.