Data and securityCyber SecurityProtect people’s data by patching systems against Meltdown and Spectre, ICO says

Protect people’s data by patching systems against Meltdown and Spectre, ICO says

The UK’s data protection watchdog says that personal data held by organisations could be at risk if they don’t apply security updates designed to prevent exploitation of microprocessor flaws

The UK’s data protection watchdog says that personal data held by organisations could be at risk if they don’t apply security updates designed to prevent exploitation of microprocessor flaws.

The security flaws, known as Meltdown and Spectre, affect almost every modern computer, and could allow hackers to steal sensitive personal data. The three connected vulnerabilities have been found in processors designed by Intel, AMD and ARM. The full technical details of these vulnerabilities can be found in this blog post, and papers have been published under the names Meltdown and Spectre that give further details.

Writing in an article on the ICO website, Nigel Houlden, Head of Technology Policy at the organisation, said: “The implications for data controllers are clear. If these vulnerabilities are exploited on a system that is processing personal data, then that personal data could be compromised. Alternatively, an attacker could steal credentials or encryption keys that would allow them to access personal data stored elsewhere.”

While it appears, at the time of writing, that no actual live attacks appear to have been carried out using these vulnerabilities, the ICO and NCSC agree that malware writers and hackers will be hard at work determining how they can make the best use of these vulnerabilities, and checking whether systems are vulnerable.

“We therefore strongly recommend that organisations determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency,” added Nigel.

“Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty. And, under the General Data Protection Regulation taking effect from May 25 this year, there may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.

“Cloud service providers will have to carefully consider whether they will be considered as a data controller for any virtual machines running on vulnerable systems. Organisations that use cloud providers should obtain assurances from the provider that these vulnerabilities have been patched.”

 

Secure by design

While the article discusses the need to patch systems, it adds that privacy by design should be at the heart of information processing, from the hardware and software to the procedures, guidelines, standards, and polices that your organisation has or should have.

“Taking care of the basics will help protect your organisation from potential attacks, and therefore potential loss of data; they are simply part of due diligence,” Nigel wrote.

“Systems should be protected at each step, you should be looking at your data flows, understanding how your data moves across and beyond your organisation, both in the electronic format and the ‘real’ world format. You should be evaluating the impact of a data breach, or data loss on you, financially, and your reputation. Data should be secure in rest as well as when in transit – even if a hacker gets the data they shouldn’t be able to read it.”

Related Articles

Government and tech industry hold roundtable on IoT security

Cyber Security Government and tech industry hold roundtable on IoT security

2y Jay Ashar
New Army cyber operations centres for MOD

Cyber Security New Army cyber operations centres for MOD

2y Jay Ashar
Competing priorities biggest roadblock to cybersecurity

Cyber Security Competing priorities biggest roadblock to cybersecurity

2y Jay Ashar
Cybersecurity is a market for lemons

Cyber Security Cybersecurity is a market for lemons

2y Bernard Parsons
Compulsory cyber awareness training for Cardiff council staff

Cyber Security Compulsory cyber awareness training for Cardiff council staff

2y Jay Ashar
UK government to assess the cyber security capability landscape

Cyber Security UK government to assess the cyber security capability landscape

2y Jay Ashar
New capability to help organisations fight cyber threats

Cyber Security New capability to help organisations fight cyber threats

2y Jay Ashar
Room for more cybersecurity over and above GDPR

Cyber Security Room for more cybersecurity over and above GDPR

2y Jay Ashar