Following the publication of serious security flaws discovered in processors manufactured by Intel, AMD and ARM, the Information Commissioner’s Office (ICO) has called on businesses to patch their systems to protect data.
Discovered by Google’s Project Zero research team, the Meltdown and Spectre flaws affect almost all modern computers.
The vulnerabilities enable attackers to extract information from privileged memory locations, which should be inaccessible and secure. Businesses could find that attackers are able to gain access to encryption keys, passwords for any service being run on the machine, or session cookies for active sessions within a browser.
This means that if these flaws are exploited on a system processing personal data – for example, that of a customer – that information could be accessed by a hacker.
The ICO has therefore “strongly” recommended that businesses establish which of their systems are vulnerable, and that they test and apply the patches urgently.
According to the ICO, a failure to patch known vulnerabilities is taken into consideration when determining whether a breach of the Data Protection Act should warrant a civil monetary penalty.
In addition, the ICO pointed out that under the General Data Protection Regulation, which comes into force on May 25, there may be circumstances when organisations could be liable for a security breach relating to measures that should have been taken previously, such as patches.
Nigel Houlden, head of security policy at the ICO, wrote in a blog post that there are issues preventing companies from patching, including performance drops and incompatible antivirus solutions.
He wrote: “Ultimately, organisations will have to make their own choices on whether to patch, but if they choose not to, we would expect significant mitigations to be in place and well understood.”
Mr Houlden added that “taking care of the basics” will help companies protect themselves from attacks and the loss of data.
Share This Post, Choose Your Platform!
With over 25 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.