Gloucester City Council fined £100k for failing to deal with Heartbleed vulnerability

Written by Sooraj Shah on 14 June 2017 in News
News

Council knew about vulnerability for months prior to attacker gaining access to emails

Information Commissioner's Office said Gloucester had "overlooked the need to ensure that it had robust measures in place" against the 2014 attack Credit: Fotolia​

Gloucester City Council has been fined £100,000 by the Information Commissioner’s Office (ICO) for failing to deal with the widespread Heartbleed vulnerability back in 2014.

On April 7th of that year, when Heartbleed received enormous publicity in the media, a new version of the affected software called OpenSSL was released which fixed the flaw.
 
Ten days later, Gloucester’s IT staff identified the Heartbleed vulnerability in its own systems as it was using an appliance called SonicWall which contained an affected version of OpenSSL. A patch for the software was available and the ICO said Gloucester had intended to apply the patch in accordance with its update policy. However, it was in the process of outsourcing its IT services to a third party on 1 May 2014, and it therefore overlooked updating the software to address the vulnerability. 


Related content

NHS ransomware attack one month on: "The people who didn’t patch Windows 7 should be sacked"
ICO bids to promote data protection and privacy research with grants programme
Turning the tide: how the public sector can win the battle against shadow IT


Then, in July, Gloucester sent an email to its staff warning them that Twitter accounts belonging to senior officers at Gloucester had been compromised by an attacker. The same attacker responded to this email by stating that he had also gained access to 16 employees’ mailboxes via the Heartbleed vulnerability in the SonicWall appliance. The attacker said that he or she was able to download over 30,000 emails, of which many contained financial and sensitive personal information relating to between 30 or 40 former or current staff.

The attacker claimed to be a member of the ‘Anonymous’ group, a group of hackers known to be behind distributed denial of service (DDoS) attacks on government, religious and corporate websites. The attacker has not been identified and the emails have not been recovered.

The ICO said that Gloucester did not have a process in place to ensure that during outsourcing of its IT services, the patch for the Heartbleed flaw was applied at the right time. It said this was an ongoing contravention from 8 April 2014, when a patch for the affected software was available, until Gloucester took remedial action on 22 July 2014.

“For no good reason, Gloucester appears to have overlooked the need to ensure that it had robust measures in place to ensure the patch was applied, despite contracting with a third party company that could have applied the patch before the attack,” the ICO said in its report. 

The ICO believes that a fine of £100,000 is appropriate – if the council pays the fine by 27 June 2017, it will reduce the fine to £80,000. 

Share this page

Tags

Categories

CONTRIBUTIONS FROM READERS

Please login to post a comment or register for a free account.

Related Articles

High court gives government six months to amend data-retention law
27 April 2018

Both the government and human rights group Liberty claim victory after judges agree that the so-called snoopers' charter is incompatible with EU legislation 

Hancock vows 'social media companies are not above the law' after Facebook meeting
12 April 2018

Culture secretary talks to executives from embattled internet firm in London in 'robust but constructive' meeting

Will the government’s latest shared services strategy deliver delight or despair to Whitehall?
4 April 2018

Former senior civil servant Andrew Greenway looks at the reasons for both optimism and scepticism as the government embarks on another shared-services rollout

MHCLG digital chief: ‘I want us to be proud plumbers’
24 May 2018

Paul Maltby claims councils must first renew ageing infrastructure before realising the benefits of machine learning and automation