Adobe under investigation by Ireland's data regulator

News by Steve Gold

Potential EU fine could cost up to €100 million (£82.7 million).

Following a number of complaints, the Irish Data Protection Commissioner (DPC) - the equivalent of the ICO in the UK - has begun an investigation into the massive Adobe data breach in which hackers stole around 38 million customer records from the company's server.

According to the DPC, an investigation has been ongoing since last October, when the company's Irish operation first notified the regulator of its problems.

"This office immediately launched an investigation into the matter, which is still ongoing," said the DPC's press statement.

Despite initially claiming that the data breach only affected 2.9 million users, that figure was later revised to 38 million by Adobe following investigations by security researcher Brian Krebs, who revealed that the database included email addresses, passwords and password hints. Krebs added that the reported source code leaked had widened to include Adobe's Photoshop software.

The data breach figure was as high as 100 million customer records in some quarters. When looking into the case, Krebs found that the portal posted a huge (3.8GB) file, called `users.tar.gz', which appeared to include more than 150 million users' name and hashed password pairs apparently taken from Adobe. The file also appeared to show that Adobe users had also been compromised.

Although Adobe's Dublin operation is only a smaller part of a global operation with 9,200 employees, the Irish data regulator has said previously that it treats companies with Irish operations as the effective data controller for all companies outside of North America.

Remarking on the case, Quocirca IT security analyst Bob Tarzey said that Adobe will face a heavy fine if found guilty of negligence by the Irish DPC.

"As a member of the European Union, the EU data protection legislation will eventually apply and this exposes Adobe to a fine of up to five percent of turnover.” He also added that the case is still subject to Irish data protection regulation.

Commenting on the fact that the Irish regulator treats companies with local country operations as a data controller for other regions, he said he does not see why another country could not take action against Adobe for leaking its citizens' data. 

"It will depend on any investigation proving that Adobe was somehow negligent. If the breach was due to circumstances beyond its control there may be no case the answer. Furthermore, when the breach occurred, Adobe claimed the sensitive data involved was encrypted, so if this proves to be correct, then again, good practice may mean it has no case to answer," he noted.

Kevin Bailey, a former IDC analyst now working for data security vendor Clearswift, told that organisations like Adobe need to be more pro-active in communicating breaches for critical information.

“The response from the Irish DPO will become the rule rather than an exception when (and if) the new European Data Protection Regulations is passed in May. A €250,000 fine today could result in up to a five percent fine of worldwide revenues for the persistent lack of security for this personally identifiable information,” he said.

“Organisations need to promote greater security-aware practices internally, to help employees and customers realise their risks, whilst changing their personal and business working practices in light of the inadequate protection afforded by some software providers,” concludes Bailey.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews