The recent Adobe Analytics breach is the latest reminder of a well-known truth: regardless of how trusted or qualified the vendor is, outsourcing always introduces some level of risk.
The breach in brief (and its business impact)
In September, Adobe Analytics made headlines when an upgrade error caused proprietary analytics data to appear in unrelated customer dashboards. For a brief period, user accounts and personal information were essentially floating around beyond the control of the organisations to which they belonged.
According to a report by Mi3, the leaked information included “search terms, domain data and navigation structures”, many of which these businesses were legally obligated to protect under data privacy laws.
Adobe was able to revert the change and resolve the issue within 24 hours, as reported by BleepingComputer. While that did address the immediate problem, there are ongoing regulatory, governance, and operational impacts for those organisations affected.
Adobe’s misrouted data shows the risk of shared infrastructure, and the advantage of on-premise control.
Compliance consequences
Analytics platforms collect demographic and behavioural data that can re-identify people when combined, which is why it’s protected under the GDPR.
In incidents where such personal data, personally identifiable information, or sensitive datasets are exposed, it doesn’t matter whether the exposure is intentional or accidental. The organisation that owns the data is always responsible for it, even when management or security is outsourced to a third party.
Any exposure, breach or other security incident involving these types of data automatically triggers mandatory reporting, legal, and disclosure requirements.
There’s also the financial cost: remediation, forensics, fines, penalties, stalled sales, unfulfilled contract obligations and other opportunity costs. You’ll also pay for employees to fix the vendor’s mistake instead of working on something that actually brings in revenue.
Shared infrastructure = shared risk
Cybersecurity incidents and data breaches aren’t always the result of threat actors or security issues.
In shared environments, system‑level errors can cross organisational boundaries. This can expose proprietary information, campaign insights and customer attributes to competitors or cause them to be lost altogether.
When dealing with shared infrastructure and personal details are involved, a glitch with one tenant can have governance and compliance consequences for thousands of others. Even when incidents are resolved quickly and exposure periods are brief, the operational hit can be significant.
Data integrity and contamination
In security incidents where unknown data injects itself into organisational networks or systems, things can spread quickly.
When contaminated data enters a platform as interconnected as Adobe’s, the level of exposure and potential damage multiplies. Reporting becomes skewed, dashboards are distorted, and organisations are left to fix problems they didn’t cause.
And for global organisations with multiple connectors, stakeholders and regional requirements, even minor breaches can quickly escalate into serious compliance issues.
Maintaining direct control over your analytics environment is the most effective safeguard against unwanted data spreading across divisions and jurisdictional boundaries.
Governance and accountability
Every digital system carries some level of risk, and in the worst-case scenario, mistakes can expose sensitive data and trigger specific compliance obligations.
Vendors handle data on your behalf, but they aren’t ultimately responsible for it. Organisations are always accountable for protecting their data, even when its management, handling, or security is outsourced to a third party.
On-premise systems are the most effective safeguards. By keeping critical data flows in-house, organisations can minimise data exposure risk. With on-premise solutions, you aren’t at the mercy of vendor mishaps and can implement privacy and compliance frameworks on your terms.
Without on-premise control, organisations risk fines, penalties, lawsuits, and reputational damage due to events out of their control.
Data sovereignty: 90-day action plan
The Adobe incident is a prompt for executives to reassess governance and prioritise visibility, control and accountability.
- How quickly could you contain a similar vendor failure?
- How much visibility do you have into your data right now?
- How dependent are you on external vendors for managing and storing your data?
The 90-day action plan below will help your organisation take proactive steps to strengthen data sovereignty and build resilience.
Day 1-30: Alignment
- Map where your data resides and who has access to it.
- Review vendor contracts and processing agreements for residency and tenant separation terms.
- Perform vendor risk assessments.
Day 31-60: Reinforcement
- Request vendor documentation on tenant segregation and incident response processes.
- Create a sovereignty map showing storage locations, flows and jurisdictions.
- Update contracts and procurement documentation to include explicit provisions regarding residency and liability.
Day 61–90: Resilience
- Create a sovereignty dashboard to track outsourced functions and associated risks.
- Develop a roadmap to bring high-risk categories in-house.
- Perform periodic reviews to monitor and communicate progress.
By day 90, sovereignty and accountability will begin to be embedded, but sustaining them requires ongoing effort.
Prioritising privacy and sovereignty from the start
The Adobe Analytics data breach had nothing to do with the quality of Adobe products. The reality is that there will always be inherent risks in cloud security. Even the most trusted vendors can suffer failures that push sensitive customer data or other legally protected information beyond anyone’s control.
Moving toward sovereign, on-premise systems is the clearest path toward data sovereignty. By bringing analytics flows and keeping critical data on-site, organisations can strengthen governance and avoid third-party risks.
Matomo is the #1 open-source web analytics platform, and one of the few globally that offers a true on-premise option. With Matomo On-Premise, you can build privacy protection and accountability directly into your operations.
The next step is simple: bring your highest-risk data flows in-house and make privacy and sovereignty a built-in function of your organisation. That way, you don’t have to put your faith in someone else’s cloud, keeping your information safe.
