show image

ICO: Firms that fail to install Meltdown and Spectre patches could face fines for breaches

Firms that fail to patch against Meltdown and Spectre microprocessor bugs could face fines if they lead to a data breach, the Information Commissioner’s Office has warned.

Nigel Houlden, head of technology policy at the ICO, said that hackers would already be checking whether systems are vulnerable to the exploits.

The two security flaws, made public last week, affect millions of computers, tablets and mobile phones and could expose sensitive data to hackers. Google, Microsoft, Apple, Linux and Amazon are among the firms to have already shipped patches to protect against them.

“We strongly recommend that organisations determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency,” Houlden wrote in a blog.

Failure to patch known vulnerabilities is one way the ICO determines whether a breach is serious enough to warrant a civil monetary penalty, he added.

Under the EU’s General Data Protection Regulation, which comes into force in May, organisations could also be held liable for a breach if they have not taken appropriate security measures, such as issuing updates.

Patches designed to resolve the vulnerabilities may have performance hits on some workloads. Houlden said that organisations will have to make their own choices: “If they choose not to [patch systems], we would expect significant mitigations to be in place and well understood.”

A spokesperson for the National Cyber Security Centre said there was no evidence of malicious exploitation to date: “The NCSC advises that all organisations and home users continue to protect their systems from threats by installing patches as soon as they become available.”

Google’s researchers had been due to publicly disclose the flaws this week, after firms had taken measures to issue patches. But the Register scooped them, forcing firms to urgently ship the updates before the bugs could be exploited.