PublicTechnology

Gloucester City Council fined £100k for failing to deal with Heartbleed vulnerability

Matt.foster June 14, 2017 in Government and politics Tagged , , - 2 Minutes

Council knew about vulnerability for months prior to attacker gaining access to emails

Information Commissioner’s Office said Gloucester had “overlooked the need to ensure that it had robust measures in place” against the 2014 attack Credit: Fotolia​

Gloucester City Council has been fined £100,000 by the Information Commissioner’s Office (ICO) for failing to deal with the widespread Heartbleed vulnerability back in 2014.

On April 7th of that year, when Heartbleed received enormous publicity in the media, a new version of the affected software called OpenSSL was released which fixed the flaw.
 
Ten days later, Gloucester’s IT staff identified the Heartbleed vulnerability in its own systems as it was using an appliance called SonicWall which contained an affected version of OpenSSL. A patch for the software was available and the ICO said Gloucester had intended to apply the patch in accordance with its update policy. However, it was in the process of outsourcing its IT services to a third party on 1 May 2014, and it therefore overlooked updating the software to address the vulnerability. 

Related content

NHS ransomware attack one month on: “The people who didn’t patch Windows 7 should be sacked”
ICO bids to promote data protection and privacy research with grants programme
Turning the tide: how the public sector can win the battle against shadow IT

Then, in July, Gloucester sent an email to its staff warning them that Twitter accounts belonging to senior officers at Gloucester had been compromised by an attacker. The same attacker responded to this email by stating that he had also gained access to 16 employees’ mailboxes via the Heartbleed vulnerability in the SonicWall appliance. The attacker said that he or she was able to download over 30,000 emails, of which many contained financial and sensitive personal information relating to between 30 or 40 former or current staff.

The attacker claimed to be a member of the ‘Anonymous’ group, a group of hackers known to be behind distributed denial of service (DDoS) attacks on government, religious and corporate websites. The attacker has not been identified and the emails have not been recovered.

The ICO said that Gloucester did not have a process in place to ensure that during outsourcing of its IT services, the patch for the Heartbleed flaw was applied at the right time. It said this was an ongoing contravention from 8 April 2014, when a patch for the affected software was available, until Gloucester took remedial action on 22 July 2014.

“For no good reason, Gloucester appears to have overlooked the need to ensure that it had robust measures in place to ensure the patch was applied, despite contracting with a third party company that could have applied the patch before the attack,” the ICO said in its report. 

The ICO believes that a fine of £100,000 is appropriate – if the council pays the fine by 27 June 2017, it will reduce the fine to £80,000. 

Related Posts

ONS workers set to begin programme of industrial action in light of in-office demand
May 1, 2024
GDS founder part of crack team brought in to advise Labour on HMRC modernisation
April 22, 2024
Whitehall CTOs agree ‘principles and guardrails’ for government mobile app strategy to be published next year
April 19, 2024

Matt.foster

Learn More →

Leave a Reply

Your email address will not be published. Required fields are marked *

Newsletter Signup
Processing...
Thank you! Your subscription has been confirmed. You'll hear from us soon.
Subscribe to our newsletter
ErrorHere