The upcoming EU General Data Protection Regulation (GDPR), which goes into effect in 2018, is going to have a significant impact on any organization that controls or processes personal data on European citizens, and that includes U.S. and U.K. businesses. A harbinger of things to come with GDPR is the six-figure fine recently issued to Gloucester City Council in England for a breach of UK data protection laws.
The council failed to ensure open source software it was using was updated to fix the “Heartbleed” vulnerability, a critical security flaw that can expose secure communications. Even though Heartbleed was discovered over three years ago, and IT staff at the council flagged the need to update the software, a patch issued for the software was never applied. Gloucester City Council “did not have sufficient processes in place to ensure its systems had been updated while changes to suppliers were made,” said the entity imposing the £100,000 fine, UK's Information Commissioner's Office (ICO).
According to the notice I linked to above, the council’s failure resulted in the following cascade of security breaches:
- In July 2014 Gloucester sent an email to its staff warning them that Twitter accounts belonging to senior officers at Gloucester had been compromised by an attacker.
- The same attacker responded to this email by stating that he had also gained access to 16 users' mailboxes via the Heartbleed vulnerability in the SonicWall appliance (containing an affected version of OpenSSL) that was used for routing traffic to Gloucester's services.
- The attacker was able to download over 30,000 emails from a senior officer's mailbox, containing financial and sensitive personal information on past and current employees.
“Gloucester appears to have overlooked the need to ensure that it had robust measures in place to ensure that the [OpenSSL] patch was applied,” the report concludes.
Many organizations don’t pay sufficient attention to the security exposures created by vulnerable open source components, and may not even be aware these exposures exist. In Black Duck’s most recent analysis of more than 1,000 commercial applications, 67 percent of the applications containing open source contained known vulnerabilities.
OpenSSL, the open source software targeted by Heartbleed, was among the most common high-risk components found by the Black Duck audits. OpenSSL, an open source project contained in hundreds of thousands of applications that need to secure communications over computer networks against eavesdropping, is used by many businesses for their websites, email and chat servers, and client-side software. As well as the breach into Gloucester City Council, Heartbleed was used in 2014 to steal personal taxpayer data from the Canada Revenue Agency.
Yet, years later, many companies still use a version of OpenSSL containing the Heartbleed vulnerability due to a lack of insight into their open source use, opening themselves to possible data breaches and fines. Thousands of similar vulnerabilities — some less dangerous than Heartbleed, some even more so — exist in many open source components today.
The £100,000 fine imposed on the Gloucester City Council should serve as a reminder to all organizations of the need to manage the security risks of open source software, which often goes unnoticed and unpatched. Hefty fines — up to 4% of annual global revenue, or €20 million, whichever is greater – will come with the GDPR when it goes into force. It will be of great importance that companies keep all software — both open source and commercial — up to date and ensure that their data, particularly sensitive personal data, remains secure.