Publication date: 1 June 2015

Overview

On 13 December 2013, the Australian Privacy Commissioner (the Commissioner) opened an own motion investigation into Adobe Systems Software Ireland Ltd (Adobe) following Adobe’s statement on its website that it had been the target of a cyber-attack ‘involving the illegal access of customer information as well as source code for numerous Adobe products’ (the data breach).[1]

The investigation focused on whether Adobe took reasonable steps to protect the personal information that it held from misuse and loss and from unauthorised access, modification or disclosure.

As part of his decision-making process, the Commissioner considered the facts of the case, submissions from Adobe and relevant provisions of the Privacy Act 1988 (Cth).

This data breach affected the personal information of millions of individuals globally. In order to maximise the efficiency of his investigation and avoid regulatory duplication, the Commissioner liaised with the Data Protection Commissioner of Ireland (DPCI)[2] and the Office of the Privacy Commissioner of Canada (OPCC)[3] throughout the course of his investigation, and referred to the analysis of the data breach conducted by the DPCI and OPCC in making his findings.

The Commissioner came to the view that Adobe had breached the Privacy Act by failing to take reasonable steps to protect all of the personal information it held from misuse and loss and from unauthorised access, modification or disclosure. In particular, the Commissioner had concerns about how Adobe protected user credential information (email addresses and associated passwords).

While Adobe generally took a sophisticated and layered approach to information security and the protection of its IT systems, it failed to implement consistently strong security measures across its various internal systems. In particular, a backup server stored a database of unencrypted credential information (email addresses and password hints) of over 1.7 million Australian users, directly linked to the encrypted password for each user. The type of encryption used, together with plaintext password hints, allowed security experts with access to the database, which became widely available on the internet after the breach, to identify the 100 most common passwords and customer accounts associated with those passwords.

This data breach demonstrates the importance of designing an information security system with multiple levels of protections, checks and balances, and for organisations to ensure that sufficiently robust security measures are applied consistently across all systems.

Background

On 3 October 2013, Adobe reported on its website that it had been the target of a cyber‑attack. Between 30 August 2013 and 17 September 2013, ‘an unauthorised third party illegally accessed certain customer order information’. Adobe became aware of the unauthorised access on 17 September 2013 when an attempt by the attacker to decrypt card numbers that were a part of the customer order information was discovered by Adobe.

Adobe’s subsequent investigation into the attack discovered that the attacker had compromised a public-facing web server and used this compromised web server to access other servers on Adobe’s network. The attacker transferred data out of Adobe’s network.

The attacker took a copy of a backup database containing the personal information of customers, consisting of:

  • customer usernames (Adobe IDs)
  • email addresses
  • encrypted passwords (a small number of unencrypted passwords, held in a separate database, may also have been compromised)
  • plain text password hints
  • names
  • addresses and telephone numbers of some users
  • encrypted payment card numbers and payment card expiration dates.

Adobe advised the Commissioner that there were:

  • 135,288 Australian users whose encrypted payment card numbers and other payment information were involved in the data breach
  • 1,787,100 Australian active and inactive users whose current password data was involved
  • 218,750 Australian active and inactive users whose obsolete password data was involved
  • 36 Australian users who may have had plain text passwords exposed.

Relevant provisions of the Privacy Act

Until 11 March 2014, organisations covered by the Privacy Act were required to comply with ten National Privacy Principles (NPPs), contained in Schedule 3 of the Privacy Act. The NPPs were replaced by the Australian Privacy Principles (APPs) on 12 March 2014. Adobe was subject to the NPPs at the time of the data breach.

The NPPs applied to the handling of ‘personal information’ which the Privacy Act defined as:

information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

NPP 2 (use and disclosure) and NPP 4 (data security) were the Privacy Act provisions relevant to this data breach. In particular:

  • NPP 2 stated that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection, unless a listed exception applies.
  • NPP 4.1 provided that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

Findings

Use and disclosure (NPP 2)

An organisation ‘discloses’ personal information when it makes it accessible or visible to others outside the organisation and releases the subsequent handling of the personal information from its effective control. The release may be an accidental release or an unauthorised release by an employee. An organisation is not taken to have disclosed personal information where a third party intentionally exploits the entity’s security measures and gains unauthorised access to the information.

In respect of the data breach, the personal information of Adobe’s customers was accessed as the result of a malicious third party or parties exploiting Adobe’s security systems to gain access to its customer’s personal information. The Commissioner did not consider this to be a ‘disclosure’ by Adobe within the meaning of NPP 2.

Therefore, the Commissioner did not consider Adobe to have breached NPP 2 in this matter.

Data security (NPP 4.1)

In assessing whether Adobe took reasonable steps to comply with NPP 4.1, the Commissioner considered the information provided by Adobe, the OPCC and the DPCI about the security safeguards that were in place prior to the data breach. He also considered what steps would have been reasonable in the circumstances to protect the personal information that Adobe held. This included considering Adobe’s particular circumstances, such as:

  • the amount and sensitivity of the personal information it held
  • the risk to the individuals concerned
  • the ease with which it could implement particular security measures.

The Commissioner also had regard to the guidance set out in the OAIC’s Guide to information security: ‘Reasonable steps’ to protect personal information.[4]

Generally, an organisation will need to have a range of security safeguards in place to protect all of the personal information that it holds that address the particular security risks that are present within that organisation.

Adobe’s submissions to the OAIC indicated that, at the time of the data breach, Adobe had extensive and detailed security measures in place to protect its systems and the personal information that it held, including the following:

  • Information technology security measures, including firewalls, two-factor authentication for remote access, web traffic filtering, and antivirus/antimalware systems.
  • Security training materials available to employees on Adobe’s intranet and annual security training for IT personnel.
  • Monitoring tools for malware detection, data loss prevention traffic monitoring and intrusion detection/intrusion prevention.
  • Annual audit of the database servers that maintain the customer data that was accessed by the attacker.
  • Penetration testing and regular vulnerability scanning on Adobe’s IT-managed network infrastructure.
  • Several incident response plans that establish Adobe’s response procedures for security incidents, depending on the resources involved.
  • A security program that involved a variety of risk assessments, including an annual risk assessment to identify risks at an enterprise-wide level, and assessments to evaluate risks relating to the handling of sensitive information or ‘information which otherwise ought to be subject to higher standards of protection, such as payment card numbers’.

Security of passwords and password hints

The system that the attackers gained access to during the attack was a backup system that was designated to be decommissioned (the ‘backup system’). At the time of the data breach, two data fields within the customer database held on this system were encrypted: ‘password’ and ‘payment card number’.

Adobe introduced a new system in April 2010 as a more secure means of authenticating users than the encrypted passwords stored in the backup system (the ‘new system’). According to an Adobe statement made to Ars Technica:[5]

For more than a year, Adobe’s authentication system has cryptographically hashed customer passwords using the SHA-256 algorithm, including salting the passwords and iterating the hash more than 1,000 times. This system was not the subject of the attack we publicly disclosed on October 3, 2013. The authentication system involved in the attack was a backup system and was designated to be decommissioned. The system involved in the attack used Triple DES encryption to protect all password information stored.

This supports Adobe’s claim that it regularly reassesses and updates its systems and processes in response to changes in technology and emerging risks.

However, despite apparently recognising the deficiencies of the backup system, Adobe continued to store user credential information in that system using a single encryption key and a ‘block cipher’ encryption algorithm. As well as encrypted passwords, the backup system stored user email addresses and plain text password hints.

The choice of a block cipher encryption algorithm meant that common passwords shared by different users had the same ciphertext representation. For example, each of the 1,911,938 users listed in the database who shared the most common password had their password converted into the following ciphertext which was stored in the database: ‘EQ7fIpT7i/Q=’. Although this cipher text is meaningless without access to the encryption key, the fact that different users with the same passwords have the same cipher text (because of the encryption method used) allows common passwords to be grouped together.

Adobe also stored customer ‘password hints’ in the backup system in plain text rather than in an encrypted format. The OPCC’s investigation found that some of the plain text hints contained the password itself, or an obvious hint. For example, some of the users associated with the password ciphertext set out above provided a password hint which included the actual password. This allows an attacker to infer the password of every one of those nearly 2 million users: ‘123456’.

The use of a block cipher encryption algorithm meant that if one user’s password becomes compromised, the password of every other user in the database with the same password is also compromised. The user credential database taken from the backup system was published on the internet following the attack. Security experts reported that they had been able to circumvent the encryption on the most common passwords by analysing password hints and using other techniques to guess at them.[6] Lists of commonly used passwords, and related ciphertexts, have been posted online.[7] Therefore, the security of passwords of individuals with at least those commonly used passwords has been compromised as a result of the data breach and the method of encryption used by Adobe.

The publication of the encrypted passwords and plain text password hints on the internet has consequences beyond the immediate relationship between Adobe and its customers. Where passwords are compromised, individuals are placed at risk on other systems where they use a common password. While Adobe is not responsible for its customers failing to take its advice to change their passwords, Adobe’s password security measures in the backup system have nonetheless placed some of its customers at an unnecessary risk of harm.

NPP 4 conclusion — whether Adobe took reasonable steps to protect the personal information it held

The Commissioner noted the challenges in guarding against sophisticated cyber-attacks such as this. Taking ‘reasonable steps’ to protect personal information does not mean that an organisation must design impenetrable systems. However, in order for an organisation to comply with the requirement to take ‘reasonable steps’, its security measures must adequately address known risks.

Further, NPP 4 requires an organisation to take reasonable steps to protect all of the personal information that it holds. The requirements of NPP 4 will not be satisfied if an organisation has adequate security measures in place to protect personal information stored in one area of its systems, but does not implement these measures in relation to all of the personal information that it holds.

The information Adobe provided about its security measures indicates that Adobe has a sophisticated and layered approach to information security and the protection of its IT systems. However, encryption techniques vary in their effectiveness, and in their suitability for protecting particular types of information. The passwords stored on the system compromised in the breach were each encrypted, apparently using the same key, rather than being individually salted then hashed. Hashing and salting is a basic security step that Adobe could reasonably have implemented to better protect the passwords in its backup system.[8] Adobe also stored customer ‘password hints’ in plain text rather than in an encrypted format, further exposing its customers’ passwords to risk.

Given the resources available to Adobe to implement robust security measures consistently across all its systems and the consequences for individuals if the data on the old servers was compromised, the Commissioner found that Adobe breached NPP 4 by failing to take reasonable steps to protect all of the personal information it held from misuse and loss and from unauthorised access, modification or disclosure.

Rectification

Once Adobe became aware of the data breach, it took steps to contain the breach, including:

  • Disconnecting the compromised database server from the network.
  • Initiating an investigation into the data breach.
  • Blacklisting IP addresses.
  • Changing passwords for all administrator accounts.
  • Resetting passwords (on 3-4 October 2013) for users whose Adobe ID and current password data (i.e. a password that was valid against Adobe’s production authentication system) were in the database taken.
  • Notifying affected individuals whose Adobe ID, password data and/or payment card numbers were accessed, including expressing regret for ‘any inconvenience or concern this incident may cause’.
  • Notifying the banks processing customer payments for Adobe, so that they could work with the payment card companies and card-issuing banks to help protect customers’ accounts.
  • Notifying law enforcement authorities.
  • Sending takedown requests to third party site operators that had published the compromised personal information.

The Commissioner expressed concern about the risk of customer passwords being compromised and misused during the period between Adobe discovering that the attacker had accessed encrypted passwords on 23 September 2014 and resetting the passwords nine days later. However the Commissioner noted that Adobe was taking reasonable steps during this time to prepare for the password reset to address this risk.

Adobe also took steps to mitigate against the risk of future data breaches of this nature, including in relation to network monitoring, the storage of payment card information and passwords, two-factor authentication, decommissioning the affected server and abolishing the use of password hints.

Recommendations

The Commissioner was satisfied that the measures that Adobe took in response to the data breach will assist Adobe to significantly strengthen its privacy framework and meet its obligations under the Privacy Act.

The Commissioner endorsed the recommendations of the DPCI in its final report on its investigation into this data breach. In summary, the recommendations specify steps that Adobe can take to enhance its password protection, network security and access security. Adobe has already implemented many of these measures. The Commissioner requested that Adobe ensure it implements all of these recommendations in order to further strengthen its information security systems.

The Commissioner also recommended that Adobe regularly review its data security processes to continue to aim for best privacy practice that protects the personal information of its extensive user base.

The Commissioner recommended that Adobe takes steps to ensure that it is able to implement a faster and more wide-spread notification procedure if it experiences another data breach of this nature and scale.

Adobe advised that it intends to engage a suitably qualified independent auditor to certify that it has implemented a number of security measures to strengthen its information security systems.

Conclusion

The Commissioner found that Adobe breached NPP 4 by failing to take reasonable steps to protect the personal information it held from misuse and loss and from unauthorised access, modification or disclosure.

The Commissioner was satisfied that Adobe responded quickly and effectively when it discovered the attack on its systems, working to secure its servers, contain and respond to the data breach, and to implement steps to mitigate against future data breaches of this nature.

Based on Adobe’s remediation activities and its intention to engage an auditor to confirm its remediation steps, the Commissioner decided to close the investigation.

Acronyms and abbreviations

Commissioner — Australian Privacy Commissioner

Adobe — Adobe Systems Software Ireland Ltd

NPPs — National Privacy Principles (contained in Schedule 3 of the Privacy Act 1988 (Cth), prior to 12 March 2014)

OAIC — Office of the Australian Information Commissioner

Privacy Act — Privacy Act 1988 (Cth)

Footnotes

[1] See Important Customer Security Announcement, <blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html>.

[2] The DPCI and OAIC entered into a Memorandum of Understanding on Mutual Assistance in the Enforcement of Laws Protecting Personal Information in the Private Sector on 25 April 2014. See OAIC website <www.oaic.gov.au/about-us/corporate-information/memorandums-of-understanding/mou-oaic-dpci>.

[3] Under the APEC Cross-Border Privacy Enforcement Arrangement.

[4] Replaced in January 2015 with the OAIC’s Guide to securing personal information: ‘Reasonable steps’ to protect personal information, January 2015, OAIC website <www.oaic.gov.au/privacy/privacy-resources/privacy-guides/guide-to-securing-personal-information>.

[5] See Ars Technica, How an epic blunder by Adobe could strengthen hand of password crackers, 1 November 2013 (viewed 2 September 2014), Ars Technica website <arstechnica.com/security/2013/11/how-an-epic-blunder-by-adobe-could-strengthen-hand-of-password-crackers>.

[6] See Reuters UK, Adobe says breach notification taking longer than anticipated, viewed 2 September 2014, Reuters UK website <uk.reuters.com/article/2013/11/25/us-adobe-cyberattack-idUKBRE9AO10R20131125>.

[7] See, e.g. Top 100 Adobe Passwords with Count <https://stricture-group.com/files/adobe-top100.txt>

[8] Generally speaking, ‘salting’ is where an additional string of data, such as random numbers or text, is added to the password to make it less predictable and harder to attack, and ‘hashing’ is where passwords are processed through cryptographic algorithms that convert them into seemingly random characters. While passwords may be guessed through computational ‘brute-force’ attacks, this becomes very difficult when strong hash algorithms and passwords are used. Hashed passwords are therefore more secure to store than their clear-text passwords.