You will have read the report published this year by the Google Project Zero team on vulnerabilities that, it appears, all modern computers are subject to. Email marketing, and any other business that is dependent on personal data, is under threat.
The names given to these vulnerabilities, Meltdown and Spectre, are hardly reassuring. Given that they provide routes for hackers to access personal data one has to accept that they are not scary enough.
The problem is fundamental and applies to most computers. There are three connected vulnerabilities in processors designed by Intel, AMD and ARM. If you want to know the full details then go to Meltdown and Spectre.
Put simply, hackers could gain access to the host server’s kernel memory, which for those of you who are not technically minded is about as bad as it sounds. It means that any personal data being processed is potentially compromised. Further, credentials and encryption keys could be harvested and so personal data stored elsewhere is also at risk.
At the moment, and perhaps something to emphasise, is that there are no reports of any attacks using these vulnerabilities. Now the secret is out, one assumes that hackers will be looking for ways to exploit the information.
Whether you are a nerd or favour paper and pencil, what you want to know is what you can do. At risk is any personal data you hold, your data processor and your company.
In deciding whether a penalty for any breach of personal data is worthy of penalty, and if so how much, the ICO will place a great deal of emphasis on how a company has reacted to the report of Meltdown and Spectre. Research should be your first response. There’s much on this subject on the ICO website.
As you would expect, the ICO recommends that you should determine which, if any, of your systems are vulnerable. It also suggests that you apply the patches as a matter of urgency. It goes on to say that under the GDPR, starting 25 May this year, failure to apply patches can make a company liable for any breach of security.
The ICO emphasises that Privacy by Design should be in every part of information processing from, to quote their list, the hardware and software to the procedures, guidelines, standards, and polices that your organisation has or should have. It suggests that your systems can’t be exploited if hackers can’t navigate through the front door. Whether this is true or not, it indicates what they will be checking should the worst happen.
You should also ensure that any outside services you use, such as cloud storage, are not vulnerable. You cannot pass the buck to another when it comes to security of personal data.
Are you confident of your antivirus? Microsoft patches might not be compatible with your security software. See here for information on the Microsoft security update.
The one essential in your response to Meltdown and Spectre is to record the steps you take with regards to checking your security and reducing your vulnerability.