Adobe’s doozy of a data breach last year, in which someone stole the details of 38 million people, has attracted the attention of the Irish Data Protection Commissioner (DPC).
The DPC, Billy Hawkes, is in the rather odd position of regulating much of the world’s online privacy. Tax breaks and fairly light-touch data protection regulation make Ireland the go-to international headquarters destination for many large companies ranging from Facebook to Apple and, of course, Adobe – Adobe Ireland has responsibility for the data of all the company’s customers outside North America.
The DPC is now investigating the massive Adobe theft, following “a number of complaints from British users”. It’s not clear yet what offense Adobe might have committed, though it would probably relate to not sufficiently securing user data. A spokeswoman for the DPC’s office told me on Wednesday that Adobe had reported the breach to it in line with the DPC’s code of practice.
Adobe revealed the breach to the public and the Irish DPC at the beginning of October 2013, saying that initial investigations suggested the attackers had made off with customer IDs and encrypted passwords, as well as the names, encrypted card details and other information relating to 2.9 million customers. Source code was also taken and, at the end of October, the company put the 38 million number on those IDs and passwords.
The breach itself apparently happened back in August. Whatever the Irish DPC decides, though, it doesn’t have particularly sharp teeth – at worst, it could hit Adobe with a €250,000 ($340,000) fine, which would be insignificant relative to the reputational damage Adobe has suffered.
This article was updated at 7.45am PT to include comment from the Irish DPC.