ICO Fines Gloucester City Council £100,000 For Heartbleed Hack

The affects of the Heartbleed exploit have been felt by Gloucester City Council after the Information Commissioner’s Office (ICO) fined the council £100,000 for leaving sensitive personal information open to attack.

Gloucester City Council suffered a data breach in July 2014 through cyber attack from a hacker who was able to make use of the Heartbleed, a bug in OpenSSL that can be exploited to enable hackers to read a system’s memory protected by versions of OpenSSL with the flaw.

Heartbleed can be used to exfiltrate data, eavesdrop on conversations and impersonate users or services; in the council’s case it led to the unauthorised download of more than 30,000 emails by a hacker claiming to be part off the Anonymous group.

Heartbleed effects

The hack, data breach and the subsequent results are an indication of the affect major bugs like Heartbleed can have if not fixed quickly.

The ICO took Gloucester City Council to task as it had ample time and warning to take action to fix the flaw. However, it failed to do so meaning personal information was put at risk when it could have been avoided and thus the data protection law was broken.

“This was a serious oversight on the part of Gloucester City Council. The attack happened when the organisation was outsourcing their IT systems. A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack,” said Sally Anne Poole, group enforcement manager at the ICO.

What is your biggest cybersecurity concern?

  • Ransomware (28%)
  • Humans / Social Engineering (27%)
  • State sponsored hackers (14%)
  • Malware (14%)
  • Other (7%)
  • Out of date tools (6%)
  • DDoS (4%)

Loading ...

Problems stemmed from Gloucester City Council failing to have the proper processes in place to ensure their systems were updated when changing their suppliers.

“The council should have known that in the wrong hands, this type of sensitive information could cause substantial distress to staff,” Poole said.

“Businesses and organisations must understand they need to do everything they can to keep people’s personal information safe and that includes being extra vigilant during periods of change or uncertainty.”

The ICO takes no prisoners when it comes to organisations failing to update old systems to protect data; it recently criticised the Metropolitan Police Serviced for the security risks of continuing to use Windows XP.

Do you know all about security in 2017? Try our quiz!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

Smartphone Shipments To Rebound In 2024, Says Counterpoint

Relief for Apple, Samsung etc after smartphone shipments are predicted to recover in 2024, as…

19 mins ago

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

21 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

22 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

23 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

1 day ago