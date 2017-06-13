THE UK INFORMATION COMMISSIONER'S OFFICE (ICO) has done what it occasionally does and fined an outfit for not properly handling data and falling victim to Heartbleed.

The ICO has fined Gloucester City Council £100,000 because an attacker managed to access its employee's sensitive personal information. This was rather the point of Heartbleed. Heartbleed did its job in Gloucester and led to the theft of over 30,000, emails all of which contained personal and financial information.

The ICO is particularly miffed because it was always warning organisations about Heartbleed. It says that the council failed the fix the vulnerability "in a timely manner" and this resulted in a visit from "Anonymous" and the loss of data.

"This was a serious oversight on the part of Gloucester City Council. The attack happened when the organisation was outsourcing their IT systems. A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack," said Sally Anne Poole, group enforcement manager at the ICO.

"The ICO investigation found that the council did not have sufficient processes in place to ensure its systems had been updated while changes to suppliers were made.

|The attacker contacted them claiming to be part of Anonymous, a group known for attacks on websites. The council should have known that in the wrong hands, this type of sensitive information could cause substantial distress to staff.

"Businesses and organisations must understand they need to do everything they can to keep people's personal information safe and that includes being extra vigilant during periods of change or uncertainty."

Security firms have moved on from warning people about Heartbleed in favour of WannaCry, but at least one has some sympathy with the council.

"This is a very serious and overt omission indeed. However, I doubt it would be fair or reasonable to shift the blame to the city council. As with many other small cities, they must have blindly relied on a local IT supplier," said Ilia Kolochenko, CEO of web security firm, High-Tech Bridge.

"Negligence of the supplier is likely to be the proximate cause of the breach. The city should explore available legal avenues to claim damages and compensation from the supplier." µ