Adobe failed to properly protect customer data

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itnews.com.au/News/404999,adobe-failed-to-properly-protect-customer-data-pilgrim.aspx

US software provider Adobe breached its obligations to Australian customers
when hackers broke into its systems in 2013 and made off with loosely
encrypted passwords and credit card details, Australian Privacy
Commissioner Timothy Pilgrim has found.

Following an 18 month investigation conducted in partnership with Pilgrim's
equivalents in Canada and Ireland, the privacy office today ruled Adobe
failed to take “reasonable steps” to protect the personal information of
1.7 million Australians to the level demanded by domestic privacy
legislation.

The breach occured between August and September 2013. It exposed 135,288
Australian credit card details and 1,787,100 active local passwords amongst
38 million affected users globally.

Pilgrim said Adobe ran sophisticated and mature information security
protections generally, but dropped the ball on one single internal server
that was due to be decommissioned but still held the details of millions of
users.

The hacked database contained password hints and emails stored in plain
text, linked directly to passwords themselves protected only by block
cipher encryption.

Pilgrim said the single-key block cipher encryption resulted in all
commonly used passwords displaying as the same ciphertext code - making
them easy pickings for hackers who aggregated the common results and
matched them en masse to the most commonly used passwords.

He reported many users actually wrote out the password itself in their
password hint, which Adobe did not encrypt. Out of the millions of Adobe
customers affected by the breach, nearly 2 million were using the password
123456.

“Hashing and salting is a basic security step that Adobe could reasonably
have implemented to better protect the passwords in its backup system,” the
Privacy Commissioner advised in his report (pdf).

“Adobe also stored customer ‘password hints’ in plain text rather than in
an encrypted format, further exposing its customers’ passwords to risk.”

The database of customer details was subsequently posted online. Despite
his criticisms, Pilgrim commended Adobe for quickly resetting passwords,
notifying customers and issuing takedown requests to websites hosting the
stolen data.

He said he was happy with the remediation efforts Adobe implemented
following the incident.

The breach took place before expanded Australian privacy legislation took
effect in March 2014, meaning the Privacy Commissioner does not have the
option of imposing a financial penalty on the company.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!