A warning has been issued by the Information Commissioner’s Office (ICO) urging businesses, organisations and individuals to patch their systems against Intel’s security flaws.
Meltdown and Spectre are flaws that were found in Intel’s chips last week, that has affected millions of people reportedly including those using Apple products and other vendors such as Windows. Now, the ICO urges people to protect themselves using a patch to prevent hackers from stealing sensitive personal data.
Meltdown is said to primarily affect processors from Intel, whereas Spectre will affect Intel’s products as well as technology from other manufacturers, including AMD and UK-based ARM.
In a blog post on the ICO website, head of technology policy Nigel Houlden stated that the Meltdown and Spectre security flaws, published by Google’s Project Zero team, would affect almost every modern computer and failure to apply operating system software updates to mitigate against the microprocessor exploits could put personal data at risk.
He warned that the ICO would take the failure to patch known vulnerabilities into account when determining whether an organisation has breached data protection laws.
The three connected vulnerabilities were found in processors designed by Intel, AMD and ARM and they could facilitate an attacker to extract information from privileged memory locations that should be inaccessible and secure. Furthermore, one variant of the attacks would allow for an administrative user in a guest virtual machine to read the host server’s kernel memory, which includes the memory assigned to other guest virtual machines, he said.
If the vulnerabilities are exploited on a system that is processing personal data, that data could be compromised. Alternatively, attackers could steal credentials or encryption keys that would allow them to access personal data stored elsewhere.
Houlden said actual attacks did not appear to have been carried out using these vulnerabilities, but malware writers and hackers could be determining how to make the best use of these vulnerabilities, and checking whether systems are vulnerable.
“We strongly recommend that organisations determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency,” he wrote in the blog post.
He said failure to patch known vulnerabilities would be a factor that would be taken into account by the ICO when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty.
Moreover, under the EU General Data Protection Regulation (GDPR) that would come into effect from 25 May 2018, there could be circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously, he warned.
Cloud service providers should consider whether they will be considered as a data controller for any virtual machines running on vulnerable systems and organisations that use cloud providers should obtain assurances from the provider that these vulnerabilities have been patched, he said.
Houlden said privacy by design should be in every part of the information processing, from the hardware and software to the procedures, guidelines, standards, and policies that organisations have or should have. Even if hackers get the data, they should not be able to read it.
Meanwhile, the National Cyber Security Centre (NCSC), the cybersecurity wing of Government Communications Headquarters (GCHQ), also urged all organisations and home users to take action to protect themselves from the dangers posed by flaws in computer processors.
In a statement, the NCSC said: “We are aware of reports about a potential flaw affecting some computer processors. At this stage, there is no evidence of any malicious exploitation and patches are being produced for the major platforms. The NCSC advises that all organisations and home users continue to protect their systems from threats by installing patches as soon as they become available.”