Data and securityCyber SecurityProtect people’s data by patching systems against Meltdown and Spectre, ICO says

Protect people’s data by patching systems against Meltdown and Spectre, ICO says

The UK’s data protection watchdog says that personal data held by organisations could be at risk if they don’t apply security updates designed to prevent exploitation of microprocessor flaws

The UK’s data protection watchdog says that personal data held by organisations could be at risk if they don’t apply security updates designed to prevent exploitation of microprocessor flaws.

The security flaws, known as Meltdown and Spectre, affect almost every modern computer, and could allow hackers to steal sensitive personal data. The three connected vulnerabilities have been found in processors designed by Intel, AMD and ARM. The full technical details of these vulnerabilities can be found in this blog post, and papers have been published under the names Meltdown and Spectre that give further details.

Writing in an article on the ICO website, Nigel Houlden, Head of Technology Policy at the organisation, said: “The implications for data controllers are clear. If these vulnerabilities are exploited on a system that is processing personal data, then that personal data could be compromised. Alternatively, an attacker could steal credentials or encryption keys that would allow them to access personal data stored elsewhere.”

While it appears, at the time of writing, that no actual live attacks appear to have been carried out using these vulnerabilities, the ICO and NCSC agree that malware writers and hackers will be hard at work determining how they can make the best use of these vulnerabilities, and checking whether systems are vulnerable.

“We therefore strongly recommend that organisations determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency,” added Nigel.

“Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty. And, under the General Data Protection Regulation taking effect from May 25 this year, there may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.

“Cloud service providers will have to carefully consider whether they will be considered as a data controller for any virtual machines running on vulnerable systems. Organisations that use cloud providers should obtain assurances from the provider that these vulnerabilities have been patched.”

 

Secure by design

While the article discusses the need to patch systems, it adds that privacy by design should be at the heart of information processing, from the hardware and software to the procedures, guidelines, standards, and polices that your organisation has or should have.

“Taking care of the basics will help protect your organisation from potential attacks, and therefore potential loss of data; they are simply part of due diligence,” Nigel wrote.

“Systems should be protected at each step, you should be looking at your data flows, understanding how your data moves across and beyond your organisation, both in the electronic format and the ‘real’ world format. You should be evaluating the impact of a data breach, or data loss on you, financially, and your reputation. Data should be secure in rest as well as when in transit – even if a hacker gets the data they shouldn’t be able to read it.”

Related Articles

Housing associations collaborate around cyber awareness

Cyber Security Housing associations collaborate around cyber awareness

16h Austin Clark
Six top security and risk management trends revealed

Cyber Security Six top security and risk management trends revealed

1w Austin Clark
DDoS Defence Demands a Hybrid Approach

Cyber Security DDoS Defence Demands a Hybrid Approach

2w Guest Writer
NHS Digital joins forces with IBM to beef up NHS cyber security

Cyber Security NHS Digital joins forces with IBM to beef up NHS cyber security

3w Austin Clark
HMRC storing voice ID data 'without consent'

Cyber Security HMRC storing voice ID data 'without consent'

3w Austin Clark
Government’s rapid cloud adoption lacks security (Infographic)

Cloud Computing Government’s rapid cloud adoption lacks security (Infographic)

1m Austin Clark
Combatting the cyber security skills crisis: Retraining could help public sector digital transformation

Cyber Security Combatting the cyber security skills crisis: Retraining could help public sector digital transformation

1m Guest Writer
The need for a strategic approach to cyber security purchasing

Cyber Security The need for a strategic approach to cyber security purchasing

2m Guest Writer