Patch Now or Risk GDPR Fines Later, Regulator WarnsFailures Discovered After Privacy Law Takes Effect Face Retroactive Punishment
As organizations grapple with the Meltdown and Spectre flaws that affect millions of modern microprocessors, keep in mind this message from Britain's data privacy watchdog: Patch now or pay later (see Performance Hit: Meltdown and Spectre Patches Slow Systems).
Guidance released by the U.K. Information Commissioner's Office in the wake of the Meltdown and Spectre flaws announced Jan. 3 warns that even though Europe's new General Data Protection Regulation won't be enforced until May 25, organizations that fail to properly ascertain their vulnerabilities, and test and apply patches now, may face the law's outsized fines for any poor decisions they make before enforcement begins.
"We strongly recommend that organizations with affected hardware test and apply patches from suppliers as soon as they are released," Nigel Houlden, head of technology policy for the ICO, said in the wake of the flaws being announced.
The ICO has since issued further guidance. "Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty," Houlden says in a blog post, referring to the U.K.'s current data privacy law, which allows for fines of up to £500,000 ($540,000).
"Under the General Data Protection Regulation taking effect from May 25 this year, there may be some circumstances where organizations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously," he adds.
As a measure of how seriously Europe treats citizens' right to privacy, under GDPR, EU privacy watchdogs can levy fines of up to £18 million ($24 million) or 4 percent of an organization's annual, global sales revenue - whichever is greater.
Patch Offenders: Carphone Warehouse, TalkTalk
A corresponding wake-up call for businesses should be the fact that poor patch management has featured in many breaches that have led to ICO penalties.
On Tuesday, the ICO hit London-based mobile phone retailer Carphone Warehouse with a £400,000 ($675,000) fine over a 2015 breach that exposed personal data for 3.3 million customers and 1,000 employees (see Carphone Warehouse Breach: 'Striking' Failures Trigger Fine).
The ICO characterized Carphone Warehouse's approach to patch management as being "seriously inadequate."
An attacker used a free penetration testing tool called Nikto to scan for flaws in Carphone Warehouse's infrastructure, which included an internet-connected WordPress installation that dated from 2009 and hadn't been updated in the six years prior to the breach, the ICO's investigation found.
Obviously if an attacker can use Nikto, arguably an organization's own security team could have done so first and eliminated the problem. Or as U.K. Information Commissioner Elizabeth Denham said on Wednesday when announcing the fine: "A company as large, well-resourced and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks."
The fine levied against Carphone Warehouse equals the penalty the ICO imposed on London-based telecommunications giant TalkTalk in October 2015 after an attacker used a SQL injection flaw to steal data for almost 157,000 TalkTalk customers, plus bank accounts and sort codes for more than 15,000 customers. The ICO's investigation found that the flaw dated from 2009, when TalkTalk acquired rival telco Tiscali's U.K. operations and IT infrastructure.
The ICO found that this infrastructure was not being maintained or patched and had a known, serious vulnerability that was exploited by an attacker wielding an automated tool called sqlmap that's designed to scan for database flaws and exfiltrate data (see TalkTalk Breach Investigation: Top Cybersecurity Takeaways).
Equifax's Patching Problem
Poor patch management practices leading to major breaches of consumer data are not just a problem for U.K.-based organizations.
Last year, a breach of Atlanta-based data broker Equifax exposed records for 145.5 million U.S. consumers, 15.2 million British consumers and 8,000 Canadian consumers.
Testifying before Congress last October, Equifax's ex-CEO, Richard Smith, blamed the breach on multiple mistakes, including a security team employee failing to heed an internal March 2017 security alert that should have led the company to patch the Apache Struts web application that a hacker exploited, which the company belatedly discovered in July 2017. Equifax also failed to scan its infrastructure and verify that all required patches had been installed (see Equifax Ex-CEO Blames One Employee For Patch Failures).
More Action Required
Even if companies mishandle a patch, however, it should not lead to a data breach, the ICO says.
"Systems should be protected at each step, you should be looking at your data flows, understanding how your data moves across and beyond your organization, both in the electronic format and the 'real' world format," Houlden says. "You should be evaluating the impact of a data breach, or data loss on you, financially, and your reputation. Data should be secure in rest as well as when in transit - even if a hacker gets the data they shouldn't be able to read it."
Houlden says every effective security program will include a blueprint specifying how network infrastructure has been protected, in part via "firewalls, access control lists, VLANs as well as non-technological preventative measures such as CCTV, fences and security personnel if needed."
The ICO also wants to see least-privilege access to data. "Not knowing who in your organization has access to what or who is responsible for it can be a massive hole in your security," Houlden says.
Regulators Signal GDPR Intentions
Needless to say, the ICO will be assessing organizations that handle Europeans' data on these and other essential information security practices, procedures and tools if they suffer a breach.
So act now or risk paying later, says data protection attorney Rachel Forbes of the law firm Pinsent Masons in a blog post. She warns that the ICO is clearly signaling that it will penalize businesses guilty of "burying their head in the sand and overlooking weaknesses and vulnerabilities in systems."
With GDPR not being enforced until May 25, there's no black-and-white understanding yet of how such enforcement might proceed. "It is our understanding that where an actual breach occurs pre-25 May 2018 and the business either doesn't become aware of it until after 25 May 2018 or is investigating the breach and such investigation, and subsequent notification, doesn't end until after 25 May, any regulatory fine would be dealt with as a breach of the Data Protection Act, or indeed the Privacy and Electronic Communications Regulations, should that framework be relevant to the case," Forbes says.
But trying to willfully hide breaches could bring the full force of GDPR down on an organization, she warns. "What the ICO has made clear in its latest comments is that hiding vulnerabilities under the carpet - instead of looking to fix the issue pre-25 May - could result in a substantially greater fine, if a breach materializes post-25 May 2018," she says. "If it is clear to the ICO that measures, including patches, should have been implemented previously, businesses will not be able to argue that it should be subject to enforcement under the Data Protection Act rather than under the GDPR."