The Information Commissioner's Office (ICO) has hit Gloucester City Council with a £100,000 fine after hackers took advantage of the Heartbleed flaw months after it had been patched; they then snatched the personal data of public employees.
The ICO's group enforcement manager, Sally Anne Poole labelled the 2014 breach, “a serious oversight on the part of Gloucester City Council.” The attack led to theft of 30,000 emails from council mailboxes, many of which contained sensitive personal information.
At specific fault, the ICO alleges, is that the council outsourced its security to a third party, which did not fix the well-publicised HeartBleed vulnerability though a patch had been available for months before the council was breached. Poole added ” A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack.”
Steve Armstrong, MD of Logically Secure told SC Media UK, that a vulnerability as big as HeartBleed shouldn't have been missed: “the whole reason we have such marketing to the public of critical vulnerabilities is that it makes people aware. If an organisation misses every piece of news that kicked out since HeartBleed became public and doesn't take that on as a critical thing to patch and help prevent, then they sort of get what they deserve.”
“These things are often outsourced,” added Armstrong, “not having security implemented within your SLA and within your contract can come back and bite you.” What probably happened, speculated Armstrong, was: “The outsourcer says ‘oh we do patching every three months' and that looks good enough for the contract but actually isn't enough when it comes down to it.”
Heartbleed has been the bane of many organisations since its birth in 2012. As a memory handling bug in the widely used OpenSSL cryptography library, the vulnerability allowed attackers to access sensitive data from what were supposed to be secure web servers.
The Canadian taxman, the wildly popular parenting site Mumsnet and the second largest hospital chain in the US all fell victim to the vulnerability. When CVE-2014-0160 was eventually publically reported in April 2014, it was believed that around 17 percent of the entire internet's secure web servers were vulnerable to Heartbleed. Though a new version of OpenSSL quickly patched those vulnerabilities, it was predicted that many were still vulnerable. Gloucester city council may have been one of those.
While the ICO has been damning, Jon McGinty, managing director of Gloucester City Council defended its actions - or inactions. In a statement McGinty told SC, “The council is very disappointed with this decision by the Information Commissioner, and is considering its position whether to appeal.”
McGinty defended the council, saying that there is insufficient evidence to show that the breach took place after the council learned of HeartBleed, as, after learning of the vulnerability it did “take swift and reasonable steps” to secure itself. The council has made an investment of over £1 million in the last three years, concluded McGinty, and the fine would only deprive Gloucester of important services.