On 13 December 2013, the Australian Privacy Commissioner opened an own motion investigation into Adobe Systems Software Ireland Ltd (Adobe) following Adobe’s statement on its website that it had been the target of a cyber-attack ‘involving the illegal access of customer information as well as source code for numerous Adobe products’ (the data breach).

The Australian Privacy Commissioner has published his report which finds that Adobe breached the Privacy Act 1988, following a cyber-attack that affected at least 38 million Adobe customers globally, including over 1.7 million Australians.

The Commissioner’s investigation was conducted in cooperation with the Data Protection Commissioner of Ireland and the Office of the Privacy Commissioner of Canada.

The Commissioner’s investigation found that Adobe failed to take reasonable steps to protect all of the personal information (including email addresses and associated passwords) it held from misuse and loss and from unauthorised access, modification or disclosure.

The breach
Adobe’s subsequent investigation into the attack discovered that the attacker had compromised a public-facing web server and used this compromised web server to access other servers on Adobe’s network. The attacker transferred data out of Adobe’s network.

The server stored a database of unencrypted credential information (email addresses and password hints) of over 1.7 million Australian users, directly linked to the encrypted password for each user. The type of encryption used, together with plaintext password hints, allowed security experts with access to the database, which became widely available on the internet after the breach, to identify the 100 most common passwords and customer accounts associated with those passwords.

The attacker took a copy of a backup database containing the personal information of customers, consisting of:
•customer usernames (Adobe IDs)
•email addresses
•encrypted passwords (a small number of unencrypted passwords, held in a separate database, may also have been compromised)
•plain text password hints
•names
•addresses and telephone numbers of some users
•encrypted payment card numbers and payment card expiration dates.

Adobe advised the Commissioner that there were:
•135,288 Australian users whose encrypted payment card numbers and other payment information were involved in the data breach
•1,787,100 Australian active and inactive users whose current password data was involved
•218,750 Australian active and inactive users whose obsolete password data was involved
•36 Australian users who may have had plain text passwords exposed.

Rectification
Once Adobe became aware of the data breach, it took steps to contain the breach, including:
•Disconnecting the compromised database server from the network.
•Initiating an investigation into the data breach.
•Blacklisting IP addresses.
•Changing passwords for all administrator accounts.
•Resetting passwords (on 3-4 October 2013) for users whose Adobe ID and current password data (i.e. a password that was valid against Adobe’s production authentication system) were in the database taken.
•Notifying affected individuals whose Adobe ID, password data and/or payment card numbers were accessed, including expressing regret for ‘any inconvenience or concern this incident may cause’.
•Notifying the banks processing customer payments for Adobe, so that they could work with the payment card companies and card-issuing banks to help protect customers’ accounts.
•Notifying law enforcement authorities.
•Sending takedown requests to third party site operators that had published the compromised personal information.

The Commissioner expressed concern about the risk of customer passwords being compromised and misused during the period between Adobe discovering that the attacker had accessed encrypted passwords on 23 September 2014 and resetting the passwords nine days later. However the Commissioner noted that Adobe was taking reasonable steps during this time to prepare for the password reset to address this risk.

Adobe also took steps to mitigate against the risk of future data breaches of this nature, including in relation to network monitoring, the storage of payment card information and passwords, two-factor authentication, decommissioning the affected server and abolishing the use of password hints.

As the breach occurred before 12 March 2014, the Privacy Commissioner’s powers, under the Privacy Act 1988, to resolve the investigation were limited to making recommendations.