The Office of the Australian Information Commissioner (OAIC) has concluded that Adobe failed to take reasonable steps to protect personal information that it held when the company suffered an online attack in 2013 that saw the attackers make off with a customer database containing email addresses, payment data, customer names, password hints, and physical addresses.
In its report, the OAIC said that the attackers made off with the details of nearly 1.8 million active and inactive Australian users whose passwords were current, 218,000 Australian accounts with an obsolete password, and the encrypted payment details of 135,000 Australian users.
Overall, the OAIC said that over 38 million global users were impacted by the data breach, with reports at the time putting the number at 150 million users.
The attackers accessed the details by targeting a backup server, which was due to be decommissioned, and only had customers' passwords and payment information encrypted. However, the report said Adobe had used a single block cipher throughout the database, resulting in identical passwords having the same ciphertext in the database.
"For example, each of the 1,911,938 users listed in the database who shared the most common password had their password converted into the following ciphertext, which was stored in the database: 'EQ7fIpT7i/Q='," the report said. "Although this ciphertext is meaningless without access to the encryption key, the fact that different users with the same passwords have the same cipher text (because of the encryption method used) allows common passwords to be grouped together."
An investigation conducted by the Office of the Privacy Commissioner of Canada found that some users had put the password itself, or an obvious clue, in the password hint field -- allowing the attackers to easily find that 'EQ7fIpT7i/Q=' resulted in the password: 123456.
"This data breach demonstrates the importance of designing an information security system with multiple levels of protections, checks, and balances, and for organisations to ensure that sufficiently robust security measures are applied consistently across all systems," the report said.
"Given the resources available to Adobe to implement robust security measures consistently across all its systems, and the consequences for individuals if the data on the old servers was compromised, the commissioner found that Adobe breached NPP 4 [National Privacy Principles]."
In response to the attack, Adobe decommissioned the compromised database server and removed it from its network, notified and reset the passwords for all affected customers, and informed banks and law enforcement of the breach, as well as discontinuing the use of password hints.
At the time of the breach, Adobe told the OAIC that it was already using two-factor authentication elsewhere, and was conducting annual security audits and regular vulnerability scanning.
"I am satisfied that the measures that Adobe took in response to the data breach will assist it to significantly strengthen its privacy framework and meet its obligations under the Privacy Act," Australian Privacy Commissioner Timothy Pilgrim said in a statement. "I have asked Adobe to engage an independent auditor to certify that it has implemented the planned remediation, and to provide me with a copy of the certification and auditor report by 30 June 2015."
Adobe also took steps to mitigate against the risk of future data breaches of this nature, including in relation to network monitoring, the storage of payment card information and passwords, two-factor authentication, decommissioning the affected server, and abolishing the use of password hints.
Updated at June 10, 10:00am AEST: Changed headline to clarify that the backup system was not the root cause of the hack itself in 2013.