Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Office of the Australian Information Commissioner cooperates with international counterparts to finalise Adobe investigation

The Australian Privacy Commissioner, Timothy Pilgrim, has found that Adobe Systems Software Ireland Pty Ltd (Adobe) breached the Privacy Act 1988, following a cyber-attack that affected at least 38 million Adobe customers globally, including over 1.7 million Australians.

Recognising the global nature of this incident, the Commissioner’s investigation was conducted in cooperation with the Data Protection Commissioner of Ireland and the Office of the Privacy Commissioner of Canada.

The Commissioner’s investigation found that Adobe failed to take reasonable steps to protect all of the personal information it held. ‘The Privacy Act does not require an organisation to design impenetrable systems, however, this case demonstrates the importance of organisations applying sufficiently robust security measures consistently across systems,’ Mr Pilgrim said.

The personal information compromised in the attack was held on a backup system that was designated to be decommissioned. The information included email addresses, encrypted passwords, plain text password hints and encrypted payment card numbers and payment card expiration dates.

‘Adobe generally takes a sophisticated and layered approach to information security and the protection of its IT systems,’ Mr Pilgrim acknowledged.  ‘However I was particularly concerned about the way in which Adobe protected its customers’ email addresses and associated passwords in the compromised system.’

The type of encryption that Adobe used for the customer passwords stored in its backup system, together with password hints stored in plain text, allowed security experts to identify the most common passwords and the customer accounts associated with those passwords.

‘I am satisfied that the measures that Adobe took in response to the data breach will assist it to significantly strengthen its privacy framework and meet its obligations under the Privacy Act. I have asked Adobe to engage an independent auditor to certify that it has implemented the planned remediation, and to provide me with a copy of the certification and auditor report by 30 June 2015’, Mr Pilgrim said.

Media contact:          Ms Tessa Loftus          0407 663 968    

Background information

As this breach occurred prior to 12 March 2014, Adobe was subject to the National Privacy Principles (NPP). The Commissioner’s investigation focused on NPP 2 (use and disclosure) and NPP 4 (data security):

  • NPP 2 stated that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection, unless a listed exception applies.

  • NPP 4.1 provided that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

NPP 2 was replaced on 12 March 2014 by Australian Privacy Principle (APP) 6, and NPP 4 was replaced by APP 11. The requirements of these APPs are substantially similar to the two NPPs.

Further, as the breach occurred before 12 March 2014, the Privacy Commissioner’s powers, under the Privacy Act 1988, to resolve the investigation were limited to making recommendations.

The OAIC and Data Protection Commissioner of Ireland exchanged information about the data breach in accordance with the Memorandum of Understanding on Mutual Assistance in the Enforcement of Laws Protecting Personal Information in the Private Sector, which they entered into on 25 April 2014. See OAIC website:

The OAIC and Office of the Privacy Commissioner of Canada exchanged information under the APEC Cross-Border Privacy Enforcement Arrangement: APEC Cross-Border Privacy Enforcement Arrangement (PDF).

The full report can be accessed on the OAIC website: