After a significant Adobe data breach, customer questions company's security safeguards and the response it provided about impacts on his personal information

PIPEDA Report of Findings #2014-015

September 3, 2014


In 2013, a regular Adobe customer in Alberta learned through media reports that a significant data breach had occurred at the company. When he contacted Adobe about the breach, a representative assured him that he had not been affected. However, he subsequently discovered certain pieces of his personal information, his spouse's and other Adobe customers, located online as part of a "database dump" file readily accessible on a Web site allegedly frequented by cyber criminals, which made him question what Adobe had told him. The complainant then submitted a complaint to our Office about both Adobe's response to him, as well as the company's data security.

At the outset of our investigation, Adobe contested our jurisdiction to investigate because it was of the view that PIPEDA did not apply to its Canadian customers impacted by the breach. Adobe cited various reasons for its position, including: Adobe had collected and stored the customer information at issue in the US; it is a US-based company; and both its terms of use document and its privacy policy stated that the law of California applied to its North American customers.

After considering Adobe's arguments, our Office found that PIPEDA did apply to this complaint since the company collects, uses and discloses personal information in the course of commercial activities with a real and substantial connection to Canada.

Concerning the breach, Adobe informed us that the breach had impacted usernames, encrypted passwords, password hints in plain text, names, addresses, email addresses, encrypted payment card numbers, and other information and data related to customer orders. However, Adobe clarified that the complainant was not notified of the breach because only his name, address, telephone number and "Adobe ID" were compromised by the breach. The company explained that because the complainant's payment card and password data was not compromised, this may have been the reason why he was initially told that he had not been affected by the breach when he contacted Adobe. Our Office, however, took issue with the quality of the response from Adobe, since it was not transparent and clearly inaccurate.

With regard to security safeguards, our analysis concluded that those in place at the time were not appropriate to the sensitivity of the personal information being protected, although we noted that Adobe did have a security plan in place. Overall, Adobe was very forthcoming with our Office in describing the details of its systems and operations.

Our Office was ultimately satisfied with the specific technical measures taken by Adobe since the incident. Notable additional measures that were taken included enhancing its user-password management process and its server authentication system, decommissioning the server affected by the breach and reducing the retention period of customer payment data.

As such, our Office found that the complaint was well-founded and resolved.

Lessons Learned

  • Safeguards appropriate to the sensitivity of the personal information must be in place to protect it against loss, theft, unauthorized access, disclosure, copying, use or modification.
  • Organizations should keep in mind our Office's Key Steps for Organizations in Responding to Privacy Breaches, which were issued to encourage adequate — and accurate — responses and follow-ups to breaches.

REPORT OF FINDINGS

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”) or “PIPEDA”

  1. The complainant alleged that his personal information was disclosed by Adobe Systems Inc. ("Adobe") during an October 2013 data breach that was reported in the media ("the Data Breach"). He also alleged that when he called Adobe to determine whether he was affected by the Data Breach, Adobe told him that he was not affected. However, he later was able to readily find his wife's and his own personal information that he had provided to Adobe from a third party on the Internet. He is seeking that Adobe provide additional information to customers on what personal information exactly was stolen. He also alleged that, for the Data Breach to occur, Adobe's security safeguards protecting his personal information would have been inadequate.

Summary of Investigation

  1. The complainant, a resident of Alberta, was an Adobe customer with an active account, having purchased a number of their software products and being a subscriber to their cloud file hosting service.
  2. He became aware of the Data Breach at Adobe through media reports in 2013, but was not directly advised of the breach by Adobe.
  3. When the complainant called Adobe personally to confirm his account status, he was told that he was not amongst the customers affected by the Data Breach.
  4. The complainant then changed the passwords of his Adobe account and started his own investigation. He subsequently discovered certain of his personal information, his spouse's and other Adobe customers, located online as part of a "database dump" file readily accessible on a Web site allegedly frequented by cyber criminals.
  5. He complained to our Office, and we accepted his complaint on November 8, 2013.
  6. Our Office's subsequent investigation was conducted in collaboration with that of the Office of the Data Protection Commissioner of Ireland (the "ODPCI"). Although information was shared between our respective offices, and we have collaborated jointly on the review and assessment of this information, each of our offices is issuing its own report.

Jurisdiction

  1. In our initial contact with Adobe regarding the Data Breach, Adobe took the position that PIPEDA did not apply to Canadian consumers impacted by the Data Breach. Adobe argued that Canadian consumers contract for services with Adobe, which is a US-based company. Specifically, Adobe pointed to a "Choice of Law" provision in its Terms of Use and a statement in its Privacy Policy which indicate that the law of California applies to Adobe's relationship with consumers in North America. Adobe stated that the customer information at issue was collected and stored in the US by Adobe. Adobe also stated that it sent all marketing material to Canadian consumers and that it was responsible for notifications of the Data Breach. For these reasons, Adobe asserted that US, rather than Canadian law, applied to Adobe's handling of personal information of Canadians.
  2. When we notified Adobe of the complaint, we informed it that, in our view and based on the information at hand, PIPEDA applied. We indicated to Adobe that there were several factors supporting the position that Adobe's activities at issue in the complaint had a real and substantial connection to Canada (factors outlined at paragraph 24 of the report). Adobe indicated that it disagreed with this position, but committed nevertheless to cooperate with our Office's investigation.

Details Regarding the Data Breach

  1. In its representations to our Office, Adobe described a sophisticated, long-term intrusion of its computer systems that resulted in the breach of Adobe customer information by attackers.
  2. The attackers were able to access personal information of Adobe customers including the following types of information: usernames, encrypted passwords, password hints in plain text, names, addresses, email addresses, encrypted payment card numbers, and other information and data related to customer orders.
  3. Adobe publicly disclosed the breach and provided details to consumers. When queried by our Office, Adobe estimated that over one million Canadian customers were affected, although not all of them had each data element of the aforementioned types of personal information accessed by the attackers. Adobe confirmed to our Office that it had sent out breach notification letters or emails to Canadian account users for whom either their payment card number or passwords were compromised.
  4. Regarding the complainant's own personal information, Adobe stated that although the customer-database tables accessed by the attackers did contain the complainant's name, physical address, telephone number, and Adobe ID (his ID was also his email address), these tables did not contain the complainant's password, his payment card data, or any other information about him that Adobe considers to be sensitive. As a result, Adobe stated that it did not notify the complainant that his personal information had been accessed via the Data Breach.
  5. We have no reason to believe that the attackers accessed personal information of the complainant other than his name, email address, physical address, and telephone number.
  6. As to the complainant's allegation that Adobe did not inform him that his personal information had been compromised when he called, Adobe stated it experienced a high number of calls about the breach, particularly from customers concerned that their passwords and payment card information had been compromised. The Adobe customer service representative may have assumed that the complainant was enquiring as to whether this type of information had been compromised. Since it had not been, at least in relation to the complainant, the complainant was told he was not affected.

Security Safeguards

  1. Concerning the complainant's allegation of inadequate safeguards, our Office, along with the ODPCI, identified a number of concerns in the design and management of Adobe's computer systems. Specifically, we were concerned by the following: password management, outdated software, redundant systems containing personal information, insecure and inadequate logging, retention of data for longer than necessary, and a failure to isolate corporate computer systems from the engineering network.
  2. As a specific example of concern to us, we noted that password management was greatly hampered by the use of a deprecated encryption format and plain-text password hints. Since the plain text hints sometimes contained the password itself (or a very obvious hint) and the encryption format used by Adobe scrambled identical passwords in the same way, it would be relatively easy to obtain access to several different accounts where the same password was used by starting with the hint/password obtained from one account.
  3. Adobe maintained that it had reasonable and appropriate security safeguards, including a robust data security program involving administrative, physical and technical security measures. Adobe also submitted that some of the concerns identified by our Office were not related to the unauthorized access that led to the Data Breach.
  4. Adobe was very forthcoming to our Office in further describing the details of its technological systems and operations, some of which had been inherited as a result of absorbing other companies. Aspects of the inherited systems and operations appear to have contributed to the security safeguard problems.
  5. Our Office conducted a technical analysis of Adobe's immediate response to the breach. We also assessed the remedial measures Adobe made to its systems and operations — i.e., the measures adopted to prevent any recurrence.

Application

  1. In making our determinations, we applied Principles 4.7 and 4.7.1 from Schedule 1 of the Act.
  2. Principle 4.7 specifies that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
  3. Principle 4.7.1 stipulates that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.

Findings

Jurisdiction

  1. Notwithstanding Adobe's objection, we are of the view that PIPEDA applies to the complaint. The established test for determining whether PIPEDA applies to an organization based outside of Canada is whether the organization collects, uses or discloses personal information in the course of commercial activities with a real and substantial connection to Canada: see Lawson v. Accusearch Inc., 2007 FC 125. There are a number of factors which, in this case, point to a real and substantial connection to Canada. In particular:
    • The complainant's personal information was collected from Canada by Adobe;
    • Adobe advertises its products and services to Canadians;
    • Adobe has a Canadian Web site that actively targets Canadians, that can be accessed by Canadians, and from which Canadians may purchase Adobe products and services;
    • Adobe, through Adobe Systems Canada Inc., has a physical presence in Canada, with an office and employees in Canada; and
    • Adobe requires personal information of Canadians in order to be able to offer its products and services to Canadians, through its Web site and other channels.
  2. The fact that Adobe is a US-based company and that the complainant's personal information was stored in the US is outweighed by the other, above-noted connecting factors in this case.
  3. Adobe's statement that it is responsible for marketing to Canadians and that it notified affected Canadians of the Data Breach are factors which speak in favour of, not against, a real and substantial connection to Canada. They show that Adobe is actively engaged in the Canadian market and that its products and services are targeted at Canadians.
  4. Lastly, we find Adobe's assertion that the "Choice of Law" provision in its Terms of Use and Privacy Policy precludes the application of PIPEDA to Canadian residents, such as the complainant, to be highly problematic.
  5. First, we note that the "Choice of Law" provision in Adobe's Terms of Use is ambiguous. While it purports to select California law as the applicable law, the provision also indicates that Adobe's customers "may have additional rights under the law. We do not seek to limit those rights to the extent prohibited by law."Footnote 1 Although the Privacy Policy lacks a similar statement, the Terms of Use do not clearly exclude the application of other laws, including Canadian laws such as PIPEDA.
  6. Second, even if Adobe's "Choice of Law" provision could be read as clearly excluding PIPEDA we do not believe such a provision is valid. We are not persuaded, given the current state of the law, that Adobe can contract out of its obligations under mandatory and quasi-constitutional legislation such as PIPEDA. In our view, it would be contrary to public policy to allow an organization with a real and substantial connection to Canada to avoid PIPEDA's protections by way of contract. Indeed, the very purpose of PIPEDA would be undermined if an organization could require individuals to waive their rights under the Act in order to obtain a product or service.
  7. We therefore cannot accept Adobe's argument that the "Choice of Law" provision in its Terms of Use and Privacy Policy render PIPEDA inapplicable.

Security Safeguards

  1. At issue is whether Adobe's security safeguards present at the time of the Data Breach were appropriate to the sensitivity of the information being protected. In addition to information about a customer's name, address and telephone number, Adobe also retained information about customer passwords, user IDs, as well as financial information which would be considered sensitive information.
  2. Our analysis of critical aspects of Adobe's systems and operational practices in place at the time of the Data Breach concluded that the security safeguards were not appropriate for protecting the personal information at issue. Acceptable practices in network design, server software maintenance, password management, and data retention and destruction were not observed.
  3. While Adobe did have a security program in place at the time of the Data Breach, the fact remains that certain aspects of its safeguards were lacking. Furthermore, all of the concerns we identified were related to the safeguarding of personal information at issue in this complaint and therefore, in our view, were properly within the scope of our investigation.
  4. We thus find that, in contravention of Principle 4.7, the security safeguards used by Adobe were not appropriate to the sensitivity of the information.
  5. We further find that, in contravention of Principle 4.7.1, Adobe's safeguards did not sufficiently protect the complainant's personal information and the personal information of other Canadians from unauthorized access.
  6. That being said, we are satisfied with the measures that Adobe has taken since the incident, and after exchanges with our Office and the ODPCI, to address the security safeguards issues towards preventing any recurrence. Many of these measures are of a commercially sensitive nature and thus cannot be mentioned in this report. But we can note that these measures include: Adobe's enhancements to both its user-password management process and its server authentication system, as well as the decommissioning of the server affected by the Data Breach and a reduction in the retention period for customers' payment data.

Conclusion

  1. Accordingly, we conclude that the security safeguards matter is well-founded and resolved.

Other

  1. We are concerned that when the complainant contacted Adobe directly to determine whether his information had been compromised, he was incorrectly advised that his information was safe. In our view, Adobe should have provided the complainant with accurate information concerning his personal information that had been exposed as a result of the Data Breach.
  2. The ability to accurately and transparently answer customer inquiries about their personal information in the wake of a breach demonstrates an organization's leadership and responsibility in handling the breach. It is consistent with Principle 4.9, which requires organizations, when formally requested, to inform an individual about the disclosure of his or her personal information. In our view, it would go a long way toward helping an organization regain customers trust after experiencing a breach incident.

Footnotes

 

Date modified: