Australia's privacy commissioner says basic mistakes at Adobe allowed hackers to ransack its customer database in 2013, and reveals that the company plans to appoint auditors to make sure it won't experience a repeat of the breach.
Timothy Pilgrim, holder of the privacy commissioner's office, yesterday released a report [PDF] on the September 2013 infiltration of Adobe's systems, and whether it breached the nation's privacy principles.
The report revisits the attack, which took place when miscreants were able to access a backup server on which they found a database of usernames, encrypted passwords and unencrypted password hints, plus some credit card numbers.
Adobe's security practices at the time, the report says, were pretty shabby: the company knew the security on the backup server was sub-par because it used the same encryption key for all passwords. While the Photoshop giant planned to use a new encryption system, and intended to decommission the old backup server, it hadn't done the job.
The rest is history: 135,288 Australian users' credit card numbers were exposed, and 1,787,100 Australian users' passwords were accessed. About 38 million accounts in all were compromised.
The commissioner’s report is pretty kind to Adobe, noting that it acted responsibly once the breach was identified. There's some brow-furrowing about the nine-day black hole between spotting the hack and alerting users, but overall the report positions the status of the backup server as Adobe's worst moment rather than indicative of its overall security effort.
But that doesn't save the American company from being told it breached Australia's fourth national privacy principle (NPP 4), which can be understood as “thou shalt ensure personal information is kept secure from unauthorised use or access.”
Here's the commissioner's ruling:
Given the resources available to Adobe to implement robust security measures consistently across all its systems and the consequences for individuals if the data on the old servers was compromised, the Commissioner found that Adobe breached NPP 4 by failing to take reasonable steps to protect all of the personal information it held from misuse and loss and from unauthorised access, modification or disclosure.
The commissioner has flogged Adobe with wet lettuce, telling it to straighten up and fly right to make sure this kind of thing doesn't happen again.
There is the admission that “Adobe advised that it intends to engage a suitably qualified independent auditor to certify that it has implemented a number of security measures to strengthen its information security systems.” But there's no penalty; Adobe gets off with a promise to do better. Whether the millions of Adobe users with laughable passwords will also do better is anyone's guess. ®