ICO Fines Gloucester Council £100K After Heartbleed Snafu

Written by

Data protection watchdog the Information Commissioner’s Office (ICO) has fined Gloucester City Council a whopping £100,000 after it failed to protect against the Heartbleed bug, resulting in the theft of sensitive info on council employees.

A cyber-attack exploiting the infamous software flaw took advantage of a vulnerability in the council site all the way back in July 2014.

That resulted in a hacker gaining unauthorized access to council email inboxes, where they downloaded 30,000 emails containing sensitive personal and financial information, the ICO said.

Group enforcement manager, Sally-Anne Poole, claimed that this was “a serious oversight” by Gloucester City Council and that it should have known that this information could cause “substantial distress” to staff if it ended up in the wrong hands.

“The attack happened when the organization was outsourcing their IT systems. A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack,” she argued.

“Businesses and organizations must understand they need to do everything they can to keep people’s personal information safe and that includes being extra vigilant during periods of change or uncertainty.”

Ilia Kolochenko, CEO of web security firm, High-Tech Bridge, described the incident as a “very serious and overt omission” by the council.

“However, I doubt it would be fair or reasonable to shift the blame to the city council. As with many other small cities, they must have blindly relied on a local IT supplier,” he added. “Negligence of the supplier is likely to be the proximate cause of the breach. The city should explore available legal avenues to claim damages and compensation from the supplier.”

Heartbleed is a flaw in the OpenSSL cryptographic software library which forms a key part of the TLS protocol for secure web communications, and first broke onto the scene in April 2014.

Yet in a sign of companies’ slow response to the threat, it was still not fixed by 74% of Global 2000 organizations even a year later, according to Venafi.

What’s hot on Infosecurity Magazine?