Privacy Commissioner in Australia resolves investigation of privacy breach at Adobe
June 9, 2015 |
When Adobe suffered a data breach on 3 October 2013, or at least announced knowledge of a data breach, it was regarded as a totemic event. Since then there have been breaches which have pushed the Adobe breach into the more mundane category. It affected the accounts of hundreds of thousands of Australians. The data breach and notification by Adobe occurred prior to 12 March 2014. As such the investigation was conducted under the “old” provisions. The own motion investigation report therefore is constrained in the sanctions that can be imposed.
The Commissioner’s media release provides:
The Australian Privacy Commissioner, Timothy Pilgrim, has found that Adobe Systems Software Ireland Pty Ltd (Adobe) breached the Privacy Act 1988, following a cyber-attack that affected at least 38 million Adobe customers globally, including over 1.7 million Australians.
Recognising the global nature of this incident, the Commissioner’s investigation was conducted in cooperation with the Data Protection Commissioner of Ireland and the Office of the Privacy Commissioner of Canada.
The Commissioner’s investigation found that Adobe failed to take reasonable steps to protect all of the personal information it held. ‘The Privacy Act does not require an organisation to design impenetrable systems, however, this case demonstrates the importance of organisations applying sufficiently robust security measures consistently across systems,’ Mr Pilgrim said.
The personal information compromised in the attack was held on a backup system that was designated to be decommissioned. The information included email addresses, encrypted passwords, plain text password hints and encrypted payment card numbers and payment card expiration dates.
‘Adobe generally takes a sophisticated and layered approach to information security and the protection of its IT systems,’ Mr Pilgrim acknowledged. ‘However I was particularly concerned about the way in which Adobe protected its customers’ email addresses and associated passwords in the compromised system.’
The type of encryption that Adobe used for the customer passwords stored in its backup system, together with password hints stored in plain text, allowed security experts to identify the most common passwords and the customer accounts associated with those passwords.
‘I am satisfied that the measures that Adobe took in response to the data breach will assist it to significantly strengthen its privacy framework and meet its obligations under the Privacy Act. I have asked Adobe to engage an independent auditor to certify that it has implemented the planned remediation, and to provide me with a copy of the certification and auditor report by 30 June 2015’, Mr Pilgrim said.
Background information
As this breach occurred prior to 12 March 2014, Adobe was subject to the National Privacy Principles (NPP). The Commissioner’s investigation focused on NPP 2 (use and disclosure) and NPP 4 (data security):
- NPP 2 stated that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection, unless a listed exception applies.
- NPP 4.1 provided that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
NPP 2 was replaced on 12 March 2014 by Australian Privacy Principle (APP) 6, and NPP 4 was replaced by APP 11. The requirements of these APPs are substantially similar to the two NPPs.
Further, as the breach occurred before 12 March 2014, the Privacy Commissioner’s powers, under the Privacy Act 1988, to resolve the investigation were limited to making recommendations.
The OAIC and Data Protection Commissioner of Ireland exchanged information about the data breach in accordance with the Memorandum of Understanding on Mutual Assistance in the Enforcement of Laws Protecting Personal Information in the Private Sector, which they entered into on 25 April 2014.
The OAIC and Office of the Privacy Commissioner of Canada exchanged information under the APEC Cross-Border Privacy Enforcement Arrangement:
The Privacy Commissioner’s own motion investigation provides:
On 13 December 2013, the Australian Privacy Commissioner (the Commissioner) opened an own motion investigation into Adobe Systems Software Ireland Ltd (Adobe) following Adobe’s statement on its website that it had been the target of a cyber-attack ‘involving the illegal access of customer information as well as source code for numerous Adobe products’ (the data breach).
The investigation focused on whether Adobe took reasonable steps to protect the personal information that it held from misuse and loss and from unauthorised access, modification or disclosure.
As part of his decision-making process, the Commissioner considered the facts of the case, submissions from Adobe and relevant provisions of the Privacy Act 1988 (Cth) (the Privacy Act).
This data breach affected the personal information of millions of individuals globally. In order to maximise the efficiency of his investigation and avoid regulatory duplication, the Commissioner liaised with the Data Protection Commissioner of Ireland (DPCI) and the Office of the Privacy Commissioner of Canada (OPCC) throughout the course of his investigation, and referred to the analysis of the data breach conducted by the DPCI and OPCC in making his findings.
The Commissioner came to the view that Adobe had breached the Privacy Act by failing to take reasonable steps to protect all of the personal information it held from misuse and loss and from unauthorised access, modification or disclosure. In particular, the Commissioner had concerns about how Adobe protected user credential information (email addresses and associated passwords).
While Adobe generally took a sophisticated and layered approach to information security and the protection of its IT systems, it failed to implement consistently strong security measures across its various internal systems. In particular, a backup server stored a database of unencrypted credential information (email addresses and password hints) of over 1.7 million Australian users, directly linked to the encrypted password for each user. The type of encryption used, together with plaintext password hints, allowed security experts with access to the database, which became widely available on the internet after the breach, to identify the 100 most common passwords and customer accounts associated with those passwords.
This data breach demonstrates the importance of designing an information security system with multiple levels of protections, checks and balances, and for organisations to ensure that sufficiently robust security measures are applied consistently across all systems.
Background
On 3 October 2013, Adobe reported on its website that it had been the target of a cyber?attack. Between 30 August 2013 and 17 September 2013, ‘an unauthorised third party illegally accessed certain customer order information’. Adobe became aware of the unauthorised access on 17 September 2013 when an attempt by the attacker to decrypt card numbers that were a part of the customer order information was discovered by Adobe.
Adobe’s subsequent investigation into the attack discovered that the attacker had compromised a public-facing web server and used this compromised web server to access other servers on Adobe’s network. The attacker transferred data out of Adobe’s network.
The attacker took a copy of a backup database containing the personal information of customers, consisting of:
- customer usernames (Adobe IDs)
- email addresses
- encrypted passwords (a small number of unencrypted passwords, held in a separate database, may also have been compromised)
- plain text password hints
- names
- addresses and telephone numbers of some users
- encrypted payment card numbers and payment card expiration dates.
Adobe advised the Commissioner that there were:
- 135,288 Australian users whose encrypted payment card numbers and other payment information were involved in the data breach
- 1,787,100 Australian active and inactive users whose current password data was involved
- 218,750 Australian active and inactive users whose obsolete password data was involved
- 36 Australian users who may have had plain text passwords exposed.
Relevant provisions of the Privacy Act
Until 11 March 2014, organisations covered by the Privacy Act were required to comply with ten National Privacy Principles (NPPs), contained in Schedule 3 of the Privacy Act. The NPPs were replaced by the Australian Privacy Principles (APPs) on 12 March 2014. Adobe was subject to the NPPs at the time of the data breach.
The NPPs applied to the handling of ‘personal information’ which the Privacy Act defined as:
information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
NPP 2 (use and disclosure) and NPP 4 (data security) were the Privacy Act provisions relevant to this data breach. In particular:
NPP 2 stated that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection, unless a listed exception applies.
NPP 4.1 provided that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
Findings
Use and disclosure (NPP 2)
An organisation ‘discloses’ personal information when it makes it accessible or visible to others outside the organisation and releases the subsequent handling of the personal information from its effective control. The release may be an accidental release or an unauthorised release by an employee. An organisation is not taken to have disclosed personal information where a third party intentionally exploits the entity’s security measures and gains unauthorised access to the information.
In respect of the data breach, the personal information of Adobe’s customers was accessed as the result of a malicious third party or parties exploiting Adobe’s security systems to gain access to its customer’s personal information. The Commissioner did not consider this to be a ‘disclosure’ by Adobe within the meaning of NPP 2.
Therefore, the Commissioner did not consider Adobe to have breached NPP 2 in this matter.
Data security (NPP 4.1)
In assessing whether Adobe took reasonable steps to comply with NPP 4.1, the Commissioner considered the information provided by Adobe, the OPCC and the DPCI about the security safeguards that were in place prior to the data breach. He also considered what steps would have been reasonable in the circumstances to protect the personal information that Adobe held. This included considering Adobe’s particular circumstances, such as:
the amount and sensitivity of the personal information it held
the risk to the individuals concerned
the ease with which it could implement particular security measures.
The Commissioner also had regard to the guidance set out in the OAIC’s Guide to information security: ‘Reasonable steps’ to protect personal information.
Generally, an organisation will need to have a range of security safeguards in place to protect all of the personal information that it holds that address the particular security risks that are present within that organisation.
Adobe’s submissions to the OAIC indicated that, at the time of the data breach, Adobe had extensive and detailed security measures in place to protect its systems and the personal information that it held, including the following:
Information technology security measures, including firewalls, two-factor authentication for remote access, web traffic filtering, and antivirus/antimalware systems.
Security training materials available to employees on Adobe’s intranet and annual security training for IT personnel.
Monitoring tools for malware detection, data loss prevention traffic monitoring and intrusion detection/intrusion prevention.
Annual audit of the database servers that maintain the customer data that was accessed by the attacker.
Penetration testing and regular vulnerability scanning on Adobe’s IT-managed network infrastructure.
Several incident response plans that establish Adobe’s response procedures for security incidents, depending on the resources involved.
A security program that involved a variety of risk assessments, including an annual risk assessment to identify risks at an enterprise-wide level, and assessments to evaluate risks relating to the handling of sensitive information or ‘information which otherwise ought to be subject to higher standards of protection, such as payment card numbers’.
Security of passwords and password hints
The system that the attackers gained access to during the attack was a backup system that was designated to be decommissioned (the ‘backup system’). At the time of the data breach, two data fields within the customer database held on this system were encrypted: ‘password’ and ‘payment card number’.
Adobe introduced a new system in April 2010 as a more secure means of authenticating users than the encrypted passwords stored in the backup system (the ‘new system’). According to an Adobe statement made to Ars Technica:
For more than a year, Adobe’s authentication system has cryptographically hashed customer passwords using the SHA-256 algorithm, including salting the passwords and iterating the hash more than 1,000 times. This system was not the subject of the attack we publicly disclosed on October 3, 2013. The authentication system involved in the attack was a backup system and was designated to be decommissioned. The system involved in the attack used Triple DES encryption to protect all password information stored.
This supports Adobe’s claim that it regularly reassesses and updates its systems and processes in response to changes in technology and emerging risks.
However, despite apparently recognising the deficiencies of the backup system, Adobe continued to store user credential information in that system using a single encryption key and a ‘block cipher’ encryption algorithm. As well as encrypted passwords, the backup system stored user email addresses and plain text password hints.
The choice of a block cipher encryption algorithm meant that common passwords shared by different users had the same ciphertext representation. For example, each of the 1,911,938 users listed in the database who shared the most common password had their password converted into the following ciphertext which was stored in the database: ‘EQ7fIpT7i/Q=’. Although this cipher text is meaningless without access to the encryption key, the fact that different users with the same passwords have the same cipher text (because of the encryption method used) allows common passwords to be grouped together.
Adobe also stored customer ‘password hints’ in the backup system in plain text rather than in an encrypted format. The OPCC’s investigation found that some of the plain text hints contained the password itself, or an obvious hint. For example, some of the users associated with the password ciphertext set out above provided a password hint which included the actual password. This allows an attacker to infer the password of every one of those nearly 2 million users: ‘123456’.
The use of a block cipher encryption algorithm meant that if one user’s password becomes compromised, the password of every other user in the database with the same password is also compromised. The user credential database taken from the backup system was published on the internet following the attack. Security experts reported that they had been able to circumvent the encryption on the most common passwords by analysing password hints and using other techniques to guess at them. Lists of commonly used passwords, and related ciphertexts, have been posted online. Therefore, the security of passwords of individuals with at least those commonly used passwords has been compromised as a result of the data breach and the method of encryption used by Adobe.
The publication of the encrypted passwords and plain text password hints on the internet has consequences beyond the immediate relationship between Adobe and its customers. Where passwords are compromised, individuals are placed at risk on other systems where they use a common password. While Adobe is not responsible for its customers failing to take its advice to change their passwords, Adobe’s password security measures in the backup system have nonetheless placed some of its customers at an unnecessary risk of harm.
NPP 4 conclusion — whether Adobe took reasonable steps to protect the personal information it held
The Commissioner noted the challenges in guarding against sophisticated cyber-attacks such as this. Taking ‘reasonable steps’ to protect personal information does not mean that an organisation must design impenetrable systems. However, in order for an organisation to comply with the requirement to take ‘reasonable steps’, its security measures must adequately address known risks.
Further, NPP 4 requires an organisation to take reasonable steps to protect all of the personal information that it holds. The requirements of NPP 4 will not be satisfied if an organisation has adequate security measures in place to protect personal information stored in one area of its systems, but does not implement these measures in relation to all of the personal information that it holds.
The information Adobe provided about its security measures indicates that Adobe has a sophisticated and layered approach to information security and the protection of its IT systems. However, encryption techniques vary in their effectiveness, and in their suitability for protecting particular types of information. The passwords stored on the system compromised in the breach were each encrypted, apparently using the same key, rather than being individually salted then hashed. Hashing and salting is a basic security step that Adobe could reasonably have implemented to better protect the passwords in its backup system. Adobe also stored customer ‘password hints’ in plain text rather than in an encrypted format, further exposing its customers’ passwords to risk.
Given the resources available to Adobe to implement robust security measures consistently across all its systems and the consequences for individuals if the data on the old servers was compromised, the Commissioner found that Adobe breached NPP 4 by failing to take reasonable steps to protect all of the personal information it held from misuse and loss and from unauthorised access, modification or disclosure.
Rectification
Once Adobe became aware of the data breach, it took steps to contain the breach, including:
Disconnecting the compromised database server from the network.
Initiating an investigation into the data breach.
Blacklisting IP addresses.
Changing passwords for all administrator accounts.
Resetting passwords (on 3-4 October 2013) for users whose Adobe ID and current password data (i.e. a password that was valid against Adobe’s production authentication system) were in the database taken.
Notifying affected individuals whose Adobe ID, password data and/or payment card numbers were accessed, including expressing regret for ‘any inconvenience or concern this incident may cause’.
Notifying the banks processing customer payments for Adobe, so that they could work with the payment card companies and card-issuing banks to help protect customers’ accounts.
Notifying law enforcement authorities.
Sending takedown requests to third party site operators that had published the compromised personal information.
The Commissioner expressed concern about the risk of customer passwords being compromised and misused during the period between Adobe discovering that the attacker had accessed encrypted passwords on 23 September 2014 and resetting the passwords nine days later. However the Commissioner noted that Adobe was taking reasonable steps during this time to prepare for the password reset to address this risk.
Adobe also took steps to mitigate against the risk of future data breaches of this nature, including in relation to network monitoring, the storage of payment card information and passwords, two-factor authentication, decommissioning the affected server and abolishing the use of password hints.
Recommendations
The Commissioner was satisfied that the measures that Adobe took in response to the data breach will assist Adobe to significantly strengthen its privacy framework and meet its obligations under the Privacy Act.
The Commissioner endorsed the recommendations of the DPCI in its final report on its investigation into this data breach. In summary, the recommendations specify steps that Adobe can take to enhance its password protection, network security and access security. Adobe has already implemented many of these measures. The Commissioner requested that Adobe ensure it implements all of these recommendations in order to further strengthen its information security systems.
The Commissioner also recommended that Adobe regularly review its data security processes to continue to aim for best privacy practice that protects the personal information of its extensive user base.
The Commissioner recommended that Adobe takes steps to ensure that it is able to implement a faster and more wide-spread notification procedure if it experiences another data breach of this nature and scale.
Adobe advised that it intends to engage a suitably qualified independent auditor to certify that it has implemented a number of security measures to strengthen its information security systems.
Conclusion
The Commissioner found that Adobe breached NPP 4 by failing to take reasonable steps to protect the personal information it held from misuse and loss and from unauthorised access, modification or disclosure.
The Commissioner was satisfied that Adobe responded quickly and effectively when it discovered the attack on its systems, working to secure its servers, contain and respond to the data breach, and to implement steps to mitigate against future data breaches of this nature.
Based on Adobe’s remediation activities and its intention to engage an auditor to confirm its remediation steps, the Commissioner decided to close the investigation.
This report has been covered by itnews in Adobe failed to properly protect customer data: Pilgrim which provides:
Lack of security on old server made hacker’s work too easy.
Following an 18 month investigation conducted in partnership with Pilgrim’s equivalents in Canada and Ireland, the privacy office today ruled Adobe failed to take “reasonable steps” to protect the personal information of 1.7 million Australians to the level demanded by domestic privacy legislation.
The breach occured between August and September 2013. It exposed 135,288 Australian credit card details and 1,787,100 active local passwords amongst 38 million affected users globally.
Pilgrim said Adobe ran sophisticated and mature information security protections generally, but dropped the ball on one single internal server that was due to be decommissioned but still held the details of millions of users.
The hacked database contained password hints and emails stored in plain text, linked directly to passwords themselves protected only by block cipher encryption.
Pilgrim said the single-key block cipher encryption resulted in all commonly used passwords displaying as the same ciphertext code – making them easy pickings for hackers who aggregated the common results and matched them en masse to the most commonly used passwords.
He reported many users actually wrote out the password itself in their password hint, which Adobe did not encrypt. Out of the millions of Adobe customers affected by the breach, nearly 2 million were using the password 123456.
“Hashing and salting is a basic security step that Adobe could reasonably have implemented to better protect the passwords in its backup system,” the Privacy Commissioner advised in his report .
“Adobe also stored customer ‘password hints’ in plain text rather than in an encrypted format, further exposing its customers’ passwords to risk.”
The database of customer details was subsequently posted online. Despite his criticisms, Pilgrim commended Adobe for quickly resetting passwords, notifying customers and issuing takedown requests to websites hosting the stolen data.
He said he was happy with the remediation efforts Adobe implemented following the incident.
The breach took place before expanded Australian privacy legislation took effect in March 2014, meaning the Privacy Commissioner does not have the option of imposing a financial penalty on the company.
[…] Privacy Commissioner in Australia resolves investigation of privacy breach at Adobe […]