Adobe Systems has settled a class action court case against the company for a massive data breach that saw the personally identifiable information of millions of users spilt onto the internet.
The 2013 data breach was first thought to have leaked the details of three million users but was later revised to around 38 million people.
Of these, over 135,000 Australian credit card numbers were disclosed in the hack, along with more than 1,787,000 Australian user passwords.
Credit card details and user logins were taken by unknown hackers in the data breach. The actual number of Adobe accounts leaked onto the internet may have been over 152 million, with a 3.8-gigabyte file doing the rounds in different forums and file sharing sites.
Australian privacy commissioner Timothy Pilgrim conducted a year-and-a-half-long investigation into the data breach and found that Adobe had breached its responsibilities and obligations to local customers in a report published in June this year.
Pilgrim's investigation found that Adobe generally ran sophisticated and mature information security protections, but dropped the ball when it came to a single internal server that was due to be decommissioned and which held the details of millions of users.
Hackers managed to breach the server to purloin data. This contained password hints and emails stored in plain text. These were linked directly to passwords themselves protected only by block cipher encryption, Pilgrim said.
Pilgrim said the single-key block cipher encryption resulted in all commonly used passwords displaying the same ciphertext code - making them easy pickings for hackers who aggregated the common results and matched them en masse to the most commonly used passwords.
Due to the data breach taking place before the expanded privacy legislation in Australia was enacted in 2014, Pilgrim's office was unable to mete out a penalty to Adobe for failing to secure the customer data.
United States district court judge Lucy Koh approved the settlement for an unknown amount and dismissed the case. Adobe faces a bill for plaintiff's legal fees of A$1.6 million, but the amount payable to the victims of the hack was not disclosed.