Out-Law News 2 min. read

Data protection fine shows security risks from using open source software cannot be ignored, says expert


A six-figure fine issued to a local authority in England for a breach of UK data protection laws should serve as a reminder to all organisations of their need to manage the security risks inherent in using 'open source' software, an expert has said.

Tom Hadden of Pinsent Masons, the law firm behind Out-Law.com, said the need to manage those risks will become even greater once the General Data Protection Regulation (GDPR) begins to apply. Businesses face fines of up to 4% of their annual global turnover, or €20 million, whichever is the greatest, under the new Regulation, which will apply from 25 May 2018.

Hadden was commenting after the UK's Information Commissioner's Office (ICO) imposed a £100,000 fine on Gloucester City Council over its failure to fix a weakness in the security of its website. The vulnerability was exploited by a hacker who was able to access sensitive personal data relating to between 30 and 40 current and former employees of the council.

The ICO said Gloucester City Council was responsible for a serious breach of the Data Protection Act.

According to the ICO, Gloucester City Council failed to ensure software it was using was updated to fix a vulnerability in coding known as the 'Heartbleed' bug, which was identified in April 2014 as existing in some versions of encryption software developed by via the open source 'OpenSSL Project'.

Although IT staff at the council flagged the need to update the software, a patch issued for the software was never applied, according to the monetary penalty notice (17-page / 3.02MB PDF) issued by the ICO. The patching was "overlooked" at a time when the council was outsourcing its IT to a third party supplier, it said.

In a statement, the ICO said that Gloucester City Council "did not have sufficient processes in place to ensure its systems had been updated while changes to suppliers were made". Sally Anne Poole, group enforcement manager at the ICO, described this as "a serious oversight" on the part of the authority.

"A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack," Poole said. "The council should have known that in the wrong hands, this type of sensitive information could cause substantial distress to staff. Businesses and organisations must understand they need to do everything they can to keep people’s personal information safe and that includes being extra vigilant during periods of change or uncertainty."

Hadden of Pinsent Masons said: "This is a classic cautionary tale for businesses about the importance of keeping their software and systems properly up to date, and exercising constant awareness regarding patches that address security vulnerabilities."

"The Heartbleed bug is probably the most well publicised security vulnerability in the history of open source software because of its wide reaching impact. However, the patch to fix the vulnerability was readily available in April of 2014 and, as the ICO said, the patch was widely publicised," he said.

"Given the hefty fines regime that will be installed by the GDPR when it comes into force in the UK on 25 May 2018, it is of greater importance than ever that companies take the steps necessary to keep their software up to date and ensure that their data, particularly sensitive personal data, remains secure," Hadden said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.