ICO’s recommendations on Meltdown and Spectre

In a post of January 5th, Nigel Houlden, the Head of Technology Policy of ICO (the United Kingdom Data Protection Authority) gives organizations recommendations on how to deal with Meltdown and Spectre and protect people’s personal data.

As it is now well known, three connected vulnerabilities have been found in Intel’s, AMD’s, and ARM’s processors which could allow hackers to “extract information from privileged memory locations that should be inaccessible and secure.”

Consequences for data controllers are twofold: i) because of the vulnerabilities, stored personal data could be compromised; ii) because of the vulnerabilities,credentials or encryption keys that are stored, could be compromised and used to access data that is stored elsewhere.

‘ We therefore strongly recommend that organisations determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency. Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty.’

More here: Nigel Houlden, Meltdown and Spectre – what should organisations be doing to protect people’s personal data?

For more information on this and more general on GDPR and EU data protection, contact us.