A UK city council has been hit by a £100,000 fine after it suffered an embarrassing data breach as a result of not patching against the infamous Heartbleed vulnerability in a timely fashion.
As regular readers will recall, the Heartbleed bug in OpenSSL was discovered in 2014, giving malicious hackers, security researchers and snoopers a method to spy upon what should have been private communications, and scoop up confidential information such as email addresses and passwords.
IT security teams around the world raced to patch their systems as quickly as possible, and ensure that their networks were not vulnerable to a devastating flaw.
But, sadly, some systems were left unprotected for too long.
That certainly appears to have been the case with Gloucester City Council which has now been fined £100,000 by watchdogs at the Information Commissioner’s Office (ICO). Here is the timeline of what happened, according to the ICO’s report:
7 April 2014 Details of the Heartbleed vulnerability are made public, and computer administrators are advised to take steps to ensure systems are secured.
17 April 2014 IT staff at Gloucester City Council determine that their SonicWall appliance is running a vulnerable version of OpenSSL, and that a patch is available. However, the council is in the process of outsourcing IT services to a third party company – and the vulnerability is overlooked.
22 July 2014 Gloucester City Council informs workers that hackers have compromised Twitter accounts belonging to senior staff. The attacker responds by informing the council that he has gained access to 16 users’ mailboxes by exploiting the Heartbleed vulnerability in the vulnerable appliance, and has been able to download over 30,000 emails exposing the personal information of up to 40 former or current staff.
In its damning judgement, the ICO found that Gloucester City Council failed to take appropriate steps to prevent, as much as possible, hackers from accessing the personal data:
“Furthermore, it found that the council did not have a proper policy in place to ensure that patches were being put in place while IT services were in the process of being outsourced.”
“The personal data that was obtained was clearly of interest to the attacker given the targeted nature of the attack. The mailboxes therefore required adequate security measures to protect the personal data contained in the emails.”
“This is all the more so when financial and sensitive personal information is concerned – in particular, as regards former or current staff who requested that it would be held securely. This hightens the need for robust technical and organisational measures to safeguard against unauthorised or unlawful access. For no good reason, Gloucester appears to have overlooked the need to ensure that it had robust measures in place to ensure that the patch was applied, despite contracting with a third party company that could have applied the patch before the attack.”
No-one is denying that Gloucester City Council was the victim of a criminal attack, and that it could have been much worse.
But it is clear that there was a massive failure and serious oversight, which allowed former and current staff’s private and financial details to fall into the hands of hackers, opening opportunities for fraud and identity theft.
If you carelessly leave yourself vulnerable to attack, that may not be the only damage done to your organisation. You may also have to one day face a financial penalty.
give malicious hackers, security researchers and snoopers the opportunity to spy upon what should have been private communications, and hoover up confidential information such as email addresses and passwords.