US software provider Adobe breached its obligations to Australian customers when hackers broke into its systems in 2013 and made off with loosely encrypted passwords and credit card details, Australian Privacy Commissioner Timothy Pilgrim has found.
Following an 18 month investigation conducted in partnership with Pilgrim's equivalents in Canada and Ireland, the privacy office today ruled Adobe failed to take “reasonable steps” to protect the personal information of 1.7 million Australians to the level demanded by domestic privacy legislation.
The breach occured between August and September 2013. It exposed 135,288 Australian credit card details and 1,787,100 active local passwords amongst 38 million affected users globally.
Pilgrim said Adobe ran sophisticated and mature information security protections generally, but dropped the ball on one single internal server that was due to be decommissioned but still held the details of millions of users.
The hacked database contained password hints and emails stored in plain text, linked directly to passwords themselves protected only by block cipher encryption.
Pilgrim said the single-key block cipher encryption resulted in all commonly used passwords displaying as the same ciphertext code - making them easy pickings for hackers who aggregated the common results and matched them en masse to the most commonly used passwords.
He reported many users actually wrote out the password itself in their password hint, which Adobe did not encrypt. Out of the millions of Adobe customers affected by the breach, nearly 2 million were using the password 123456.
“Hashing and salting is a basic security step that Adobe could reasonably have implemented to better protect the passwords in its backup system,” the Privacy Commissioner advised in his report (pdf).
“Adobe also stored customer ‘password hints’ in plain text rather than in an encrypted format, further exposing its customers’ passwords to risk.”
The database of customer details was subsequently posted online. Despite his criticisms, Pilgrim commended Adobe for quickly resetting passwords, notifying customers and issuing takedown requests to websites hosting the stolen data.
He said he was happy with the remediation efforts Adobe implemented following the incident.
The breach took place before expanded Australian privacy legislation took effect in March 2014, meaning the Privacy Commissioner does not have the option of imposing a financial penalty on the company.