Gloucester City Council fined £100k for failing to deal with Heartbleed vulnerability

Written by Sooraj Shah on 14 June 2017 in News
News

Council knew about vulnerability for months prior to attacker gaining access to emails

Information Commissioner's Office said Gloucester had "overlooked the need to ensure that it had robust measures in place" against the 2014 attack Credit: Fotolia​

Gloucester City Council has been fined £100,000 by the Information Commissioner’s Office (ICO) for failing to deal with the widespread Heartbleed vulnerability back in 2014.

On April 7th of that year, when Heartbleed received enormous publicity in the media, a new version of the affected software called OpenSSL was released which fixed the flaw.
 
Ten days later, Gloucester’s IT staff identified the Heartbleed vulnerability in its own systems as it was using an appliance called SonicWall which contained an affected version of OpenSSL. A patch for the software was available and the ICO said Gloucester had intended to apply the patch in accordance with its update policy. However, it was in the process of outsourcing its IT services to a third party on 1 May 2014, and it therefore overlooked updating the software to address the vulnerability. 


Related content

NHS ransomware attack one month on: "The people who didn’t patch Windows 7 should be sacked"
ICO bids to promote data protection and privacy research with grants programme
Turning the tide: how the public sector can win the battle against shadow IT


Then, in July, Gloucester sent an email to its staff warning them that Twitter accounts belonging to senior officers at Gloucester had been compromised by an attacker. The same attacker responded to this email by stating that he had also gained access to 16 employees’ mailboxes via the Heartbleed vulnerability in the SonicWall appliance. The attacker said that he or she was able to download over 30,000 emails, of which many contained financial and sensitive personal information relating to between 30 or 40 former or current staff.

The attacker claimed to be a member of the ‘Anonymous’ group, a group of hackers known to be behind distributed denial of service (DDoS) attacks on government, religious and corporate websites. The attacker has not been identified and the emails have not been recovered.

The ICO said that Gloucester did not have a process in place to ensure that during outsourcing of its IT services, the patch for the Heartbleed flaw was applied at the right time. It said this was an ongoing contravention from 8 April 2014, when a patch for the affected software was available, until Gloucester took remedial action on 22 July 2014.

“For no good reason, Gloucester appears to have overlooked the need to ensure that it had robust measures in place to ensure the patch was applied, despite contracting with a third party company that could have applied the patch before the attack,” the ICO said in its report. 

The ICO believes that a fine of £100,000 is appropriate – if the council pays the fine by 27 June 2017, it will reduce the fine to £80,000. 

Share this page

Tags

Categories

Add new comment

Related Articles

Government, the public, and tech firms must work together to beat the real problem of fake news
31 January 2018

Rachel Neaman of Corsham Institute believes that facing down the challenge of online misinformation needs a long-term and wide-ranging strategy 

Government advises that NHS data can be safely hosted in the US and other countries
20 January 2018

NHS bodies and Department of Health and Social Care issue guidance clarifying that numerous offshore locations are considered a safe home for health and social services data

 

GDS offers £118k in search for leader of newly created digital Brexit team
16 January 2018

Organisation building centralised team to help Whitehall manage the digital implications of leaving the EU while maintaining longer-term transformation goals