GDPR, OpenSSL, Heartbleed and a Cascade of Security Breaches

GDPR, OpenSSL, Heartbleed and a Cascade of Security Breaches

The upcoming EU General Data Protection Regulation (GDPR), which goes into effect in 2018, is going to have a significant impact on any organization that controls or processes personal data on European citizens, and that includes U.S. and U.K. businesses. A harbinger of things to come with GDPR is the six-figure fine recently issued to Gloucester City Council in England for a breach of UK data protection laws.

The council failed to ensure open source software it was using was updated to fix the “Heartbleed” vulnerability, a critical security flaw that can expose secure communications. Even though Heartbleed was discovered over three years ago, and IT staff at the council flagged the need to update the software, a patch issued for the software was never applied. Gloucester City Council “did not have sufficient processes in place to ensure its systems had been updated while changes to suppliers were made,” said the entity imposing the £100,000 fine, UK's Information Commissioner's Office (ICO).

According to the notice I linked to above, the council’s failure resulted in the following cascade of security breaches:

  • In July 2014 Gloucester sent an email to its staff warning them that Twitter accounts belonging to senior officers at Gloucester had been compromised by an attacker.
  • The same attacker responded to this email by stating that he had also gained access to 16 users' mailboxes via the Heartbleed vulnerability in the SonicWall appliance (containing an affected version of OpenSSL) that was used for routing traffic to Gloucester's services.
  • The attacker was able to download over 30,000 emails from a senior officer's mailbox, containing financial and sensitive personal information on past and current employees.

“Gloucester appears to have overlooked the need to ensure that it had robust measures in place to ensure that the [OpenSSL] patch was applied,” the report concludes.

Many organizations don’t pay sufficient attention to the security exposures created by vulnerable open source components, and may not even be aware these exposures exist. In Black Duck’s most recent analysis of more than 1,000 commercial applications67 percent of the applications containing open source contained known vulnerabilities.

OpenSSL, the open source software targeted by Heartbleed, was among the most common high-risk components found by the Black Duck audits. OpenSSL, an open source project contained in hundreds of thousands of applications that need to secure communications over computer networks against eavesdropping, is used by many businesses for their websites, email and chat servers, and client-side software. As well as the breach into Gloucester City Council, Heartbleed was used in 2014 to steal personal taxpayer data from the Canada Revenue Agency.

Learn Your 4 Options for Vulnerability Remediation

Yet, years later, many companies still use a version of OpenSSL containing the Heartbleed vulnerability due to a lack of insight into their open source use, opening themselves to possible data breaches and fines. Thousands of similar vulnerabilities — some less dangerous than Heartbleed, some even more so — exist in many open source components today. 

The £100,000 fine imposed on the Gloucester City Council should serve as a reminder to all organizations of the need to manage the security risks of open source software, which often goes unnoticed and unpatched. Hefty finesup to 4% of annual global revenue, or €20 million, whichever is greater  – will come with the GDPR when it goes into force. It will be of great importance that companies keep all softwareboth open source and commercial up to date and ensure that their data, particularly sensitive personal data, remains secure.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Equifax, Apache Struts, & CVE-2017-5638 Vulnerability

| Sep 15, 2017

It’s an all Equifax breach/Apache Struts/ CVE-2017-5638 issue of Open Source Insight this week as we examine how an unpatched open source flaw and an apparent lack of diligence exposed sensitive data for over 140 million US consumers. We look at what happened, how you can see if you’ve been

| MORE >

CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses

| Sep 8, 2017

Our vulnerability of the week is CVE-2017-9805, which resides in Apache Struts’ REST plugin, a must-have in almost all Struts enterprise deployments. Attackers can exploit the bug via HTTP requests or via any other socket connection, with a public exploit published on Thursday. Happily, on Monday

| MORE >

Securing Software Stacks, Election Security, FDA Pacemaker Recall

| Sep 1, 2017

News is slight as the US prepares to bore into the Labor Day weekend and the unofficial end of Summer 2017. Yet our crack staff of editors has scoured the Webbernets to produce the best in cybersecurity and open source security news for your reading pleasure. Enjoy, and if you celebrate Labor Day,

| MORE >