ICO issues guidance over processor security flaws

The ICO has issued guidance for businesses dealing with processor security flaws [Image: imaginima via iStock]

Following the publication of serious security flaws discovered in processors manufactured by Intel, AMD and ARM, the Information Commissioner’s Office (ICO) has called on businesses to patch their systems to protect data.

Discovered by Google’s Project Zero research team, the Meltdown and Spectre flaws affect almost all modern computers.

The vulnerabilities enable attackers to extract information from privileged memory locations, which should be inaccessible and secure. Businesses could find that attackers are able to gain access to encryption keys, passwords for any service being run on the machine, or session cookies for active sessions within a browser.

This means that if these flaws are exploited on a system processing personal data – for example, that of a customer – that information could be accessed by a hacker.

The ICO has therefore “strongly” recommended that businesses establish which of their systems are vulnerable, and that they test and apply the patches urgently.

According to the ICO, a failure to patch known vulnerabilities is taken into consideration when determining whether a breach of the Data Protection Act should warrant a civil monetary penalty.

In addition, the ICO pointed out that under the General Data Protection Regulation, which comes into force on May 25, there may be circumstances when organisations could be liable for a security breach relating to measures that should have been taken previously, such as patches.

Nigel Houlden, head of security policy at the ICO, wrote in a blog post that there are issues preventing companies from patching, including performance drops and incompatible antivirus solutions.

He wrote: “Ultimately, organisations will have to make their own choices on whether to patch, but if they choose not to, we would expect significant mitigations to be in place and well understood.”

Mr Houlden added that “taking care of the basics” will help companies protect themselves from attacks and the loss of data.