It was reported today that The Information Commissioner’s Office (ICO) has hit Gloucester City Council with a £100,000 fine after hackers took advantage of the Heartbleed flaw months after it had been patched. The full story can be found here. Paul Farrington, Manager, EMEA Solution Architects at Veracode commented on this news below.
Paul Farrington, Manager, EMEA Solution Architects at Veracode:
“The latest fine imposed by the ICO, on Gloucester City Council is an unfortunate outcome for this public body. Vendors like Veracode in 2014, were offering free scans, with ‘no strings attached’. Such, was the importance of addressing Heartbleed, which is a highly exploitable vulnerability. The Council officials could have protected the 30,000 leaked email records without incurring any additional cost burden.
There will be a variety of reasons why this vulnerability was not patched. Top of the list, will be the notion that that Council had outsourced the responsibility to a third-party IT provider to manage vulnerabilities. The reality however, is that you can’t outsource the obligation to protect the privacy of individuals. Whilst one might be able to cut costs by getting a firm to look after day-to-day tasks, the buck still stops with the data owner – in this case Gloucester City Council.
This is a particularly relevant matter, given the recent WannaCry outbreak which exploited vulnerabilities in the Microsoft operating system and took down large swaths of the NHS IT network. A recent FOI request, issued by Veracode, revealed that nearly half of NHS Trusts scan for application vulnerabilities just once a year, it’s clear that large parts of the public sector are asleep at the wheel, when it comes to securing the software that runs our lives.”