Gloucester City Council fined £100k for failing to deal with Heartbleed vulnerability
Council knew about vulnerability for months prior to attacker gaining access to emails
Information Commissioner's Office said Gloucester had "overlooked the need to ensure that it had robust measures in place" against the 2014 attack Credit: Fotolia
Gloucester City Council has been fined £100,000 by the Information Commissioner’s Office (ICO) for failing to deal with the widespread Heartbleed vulnerability back in 2014.
On April 7th of that year, when Heartbleed received enormous publicity in the media, a new version of the affected software called OpenSSL was released which fixed the flaw.
Ten days later, Gloucester’s IT staff identified the Heartbleed vulnerability in its own systems as it was using an appliance called SonicWall which contained an affected version of OpenSSL. A patch for the software was available and the ICO said Gloucester had intended to apply the patch in accordance with its update policy. However, it was in the process of outsourcing its IT services to a third party on 1 May 2014, and it therefore overlooked updating the software to address the vulnerability.
NHS ransomware attack one month on: "The people who didn’t patch Windows 7 should be sacked"
ICO bids to promote data protection and privacy research with grants programme
Turning the tide: how the public sector can win the battle against shadow IT
Then, in July, Gloucester sent an email to its staff warning them that Twitter accounts belonging to senior officers at Gloucester had been compromised by an attacker. The same attacker responded to this email by stating that he had also gained access to 16 employees’ mailboxes via the Heartbleed vulnerability in the SonicWall appliance. The attacker said that he or she was able to download over 30,000 emails, of which many contained financial and sensitive personal information relating to between 30 or 40 former or current staff.
The attacker claimed to be a member of the ‘Anonymous’ group, a group of hackers known to be behind distributed denial of service (DDoS) attacks on government, religious and corporate websites. The attacker has not been identified and the emails have not been recovered.
The ICO said that Gloucester did not have a process in place to ensure that during outsourcing of its IT services, the patch for the Heartbleed flaw was applied at the right time. It said this was an ongoing contravention from 8 April 2014, when a patch for the affected software was available, until Gloucester took remedial action on 22 July 2014.
“For no good reason, Gloucester appears to have overlooked the need to ensure that it had robust measures in place to ensure the patch was applied, despite contracting with a third party company that could have applied the patch before the attack,” the ICO said in its report.
The ICO believes that a fine of £100,000 is appropriate – if the council pays the fine by 27 June 2017, it will reduce the fine to £80,000.
Government issues edict instructing public bodies to move email and websites to gov.uk and other new domains
National Audit Office report also points to a lack of coordination in response to attack, which the government has concluded was conducted by North Korea
Body pledges new structure will be ‘fair’, with detailed information likely before the end of 2017
Carol Brock of OpenText believes better use of structured and unstructured data could help the government deliver better policy and services