The Office of the Australian Information Commissioner (OAIC) announced today that it has completed its investigation into the data breach suffered by Adobe in 2013. The OAIC concluded that Adobe breached the Privacy Act 1988, but the agency says it’s satisfied with the software giant’s response to the incident.
Adobe uncovered the breach in mid-September 2013, more than two weeks after malicious actors gained unauthorized access to the company’s systems. The attackers managed to steal information on 38 million Adobe customers, including 1.7 million Australians, along with source code for some of the company’s products. According to some reports, more than 150 million records were compromised.
The incident was investigated the OAIC, the Office of the Data Protection Commissioner (ODPC) in Ireland, and the Office of the Privacy Commissioner (OPC) of Canada.
In a report published on Tuesday, the OAIC noted that Adobe failed to take reasonable steps to protect the personal information it had been storing, thus breaching one of the National Privacy Principles. The agency pointed out that while Adobe’s systems were generally properly protected, the company failed to consistently implement strong security measures across internal systems.
The Commissioner’s report refers to the backup server hosting the information stolen by the attackers. The server, which Adobe had been planning to decommission, stored email addresses and password hints in clear text, and passwords that were not properly encrypted.
“The Privacy Act does not require an organisation to design impenetrable systems, however, this case demonstrates the importance of organisations applying sufficiently robust security measures consistently across systems,” stated Timothy Pilgrim, the Australian Privacy Commissioner.
Both the OAIC and the OPC say they are pleased with how Adobe handled the incident.
“I am satisfied that the measures that Adobe took in response to the data breach will assist it to significantly strengthen its privacy framework and meet its obligations under the Privacy Act,” said Pilgrim. “I have asked Adobe to engage an independent auditor to certify that it has implemented the planned remediation, and to provide me with a copy of the certification and auditor report by 30 June 2015.”
“The investigation raised serious concerns about outdated software and inadequate password management practices that, for example, did not encrypt password hints. The OPC was pleased that Adobe adopted numerous changes to enhance privacy and better protect its customers’ personal information from unauthorized access,” said the OPC.
Adobe says it’s pleased that the investigation has been closed and that the privacy commissioner is satisfied that the company responded quickly and effectively to the incident.
“Cyber-attacks are one of the unfortunate realities of doing business today. Security — and in particular the security of customer information — is very important to us. We value the trust of our customers and have been working aggressively to prevent these types of events from occurring in the future,” Adobe told SecurityWeek in an emailed statement.