Protect people’s data by patching systems against Meltdown and Spectre, ICO says

ICO urges organisations to patch systems against Meltdown and Spectre – and outlines how patching could affect GDPR compliance

Austin Clark | 8th Jan 18

The UK’s data protection watchdog says that personal data held by organisations, including charities, could be at risk if they don’t apply security updates designed to prevent exploitation of microprocessor flaws.

The security flaws, known as Meltdown and Spectre, affect almost every modern computer, and could allow hackers to steal sensitive personal data. The three connected vulnerabilities have been found in processors designed by Intel, AMD and ARM. The full technical details of these vulnerabilities can be found in this blog post, and papers have been published under the names Meltdown and Spectre that give further details.

Writing in an article on the ICO website, Nigel Houlden, Head of Technology Policy at the organisation, said: “The implications for data controllers are clear. If these vulnerabilities are exploited on a system that is processing personal data, then that personal data could be compromised. Alternatively, an attacker could steal credentials or encryption keys that would allow them to access personal data stored elsewhere.”

While it appears, at the time of writing, that no actual live attacks appear to have been carried out using these vulnerabilities, the ICO and NCSC agree that malware writers and hackers will be hard at work determining how they can make the best use of these vulnerabilities, and checking whether systems are vulnerable.

“We therefore strongly recommend that organisations determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency,” added Nigel.

“Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty. And, under the General Data Protection Regulation taking effect from May 25 this year, there may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.

“Cloud service providers will have to carefully consider whether they will be considered as a data controller for any virtual machines running on vulnerable systems. Organisations that use cloud providers should obtain assurances from the provider that these vulnerabilities have been patched.”


Secure by design

While the article discusses the need to patch systems, it adds that privacy by design should be at the heart of information processing, from the hardware and software to the procedures, guidelines, standards, and polices that your organisation has or should have.

“Taking care of the basics will help protect your organisation from potential attacks, and therefore potential loss of data; they are simply part of due diligence,” Nigel wrote.

“Systems should be protected at each step, you should be looking at your data flows, understanding how your data moves across and beyond your organisation, both in the electronic format and the ‘real’ world format. You should be evaluating the impact of a data breach, or data loss on you, financially, and your reputation. Data should be secure in rest as well as when in transit – even if a hacker gets the data they shouldn’t be able to read it.”