When it comes to storing personal information on a computer network, you’d be forgiven for trusting a multinational computer software company to do so securely.

When it comes to storing personal information on a computer network, you’d be forgiven for trusting a multinational computer software company to do so securely.

However, just last month, the Privacy Commissioner concluded an 18 month investigation into Adobe, finding it had breached Australia’s Privacy Act when it left 38 million customers, including 1.7 million Australians, exposed to fraud in 2013. 

Despite having a sophisticated and layered approach to information security across the rest of their internal systems, Adobe breached NPP 4 (the predecessor to Australian Privacy Principle 11) when it left a backup server, designated to be decommissioned, with an outdated single encryption key and block cipher encryption algorithm as protection.  Its failure to implement uniformly their standard security systems allowed the old Adobe server to be exploited by attackers.

And that’s just what happened.  Hackers found the weakness, gained access, and made copies of the server which contained large quantities of personal information about Adobe’s customers including their passwords and security questions.

Australia’s Privacy Commissioner, in conjunction with his counterparts in Ireland and Canada, conducted an own motion investigation into the breach following an Adobe press release indicating its customer information and source code had been illegally accessed.  Under NPP 4, Adobe had an obligation to ‘take reasonable steps’ to protect the personal information it held from unauthorized access, modification or disclosure. The Regulator found that it didn’t.

Whilst the Commissioner was at pains to emphasize that taking ‘reasonable steps’ does not require an organization to design an impenetrable system, organizations are expected to adequately address known risks.  Adobe provided evidence of the extensive and detailed security measures it had in place at the time of the breach, however, these were not applied to the lone back-up system that was exploited.  Given the resources available to Adobe to implement robust security measures across all systems, and weighing the consequences for individuals if the data it held was compromised, the Commissioner found there had been a breach of the Act.

NNP 4 is now reflected in the currently applicable Australian Privacy Principle 11. The Regulator’s determination last week is a timely reminder of the compliance obligations imposed by the Privacy Act, and the consequent legal and specialist expenses that can flow from a data breach incident, whether it is reported to that Regulator or not.

Read the Commissioner’s report here