Adobe Systems Software Ireland breached the Privacy Act following a cyberattack that affected more than 1.7 million customers in Australia, the Privacy Commissioner, Timothy Pilgrim said on Tuesday.
The Commissioner — working with the Data Protection Commissioner of Ireland and the Office of the Privacy Commissioner of Canada — found that Adobe failed to take reasonable steps to protect all of the personal information it held.
The investigation began on 13 December 2014 after Adobe stated on its website that it had been the target of a cyberattack involving the illegal access of customer information as well as source code for numerous Adobe products.
Data compromised in the attack — which affected at least 38 million customers globally — was held on a backup system that was designated to be decommissioned. Information included email addresses, encrypted passwords, plain text password hints, and encrypted payment card numbers and payment card expiration dates.
Pilgrim said Adobe generally takes a sophisticated and layered approach to information security and the protection of its IT systems.
"However, I was particularly concerned about the way in which Adobe protected its customers' email addresses and associated passwords in the compromised system," he said.
The type of encryption that Adobe used for the customer passwords stored in its backup system, together with password hints stored in plain text, allowed security experts to identify the most common passwords and the customer accounts associated with those passwords.
Adobe took steps to contain the damage as soon as it became aware of the breach. These steps included disconnecting the compromised database server from the network, initiating an investigating, blacklisting IP addresses, and changing passwords for all administrator accounts.
Pilgrim said although the Privacy Act does not require an organisation to design impenetrable systems, however, the case demonstrated the importance of organisations applying sufficiently robust security measures consistently across systems.
"I am satisfied that measures Adobe took in response to the data breach that will assist it to significantly strengthen its privacy framework and meet its obligations under the Privacy Act," Pilgrim said.
"I have asked Adobe to engage an independent auditor to certify that it has implemented the planned remediation, and to provide me with a copy of the certification and auditor report by 30 June, 2015," Pilgrim said.
Adobe said in a statement that it was pleased that the Commissioner had closed the investigation and is satisfied that Adobe responded quickly and effectively to the incident.
"Cyber-attacks are one of the unfortunate realities of doing business today. Security — and in particular, the security of customer information — is very important to us. We value the trust of our customers and have been working aggressively to prevent these types of events from occurring in the future," the company said.
Sign up for Computerworld eNewsletters.