MOVEit Transfer incident (May 2023)
In May 2023, a vulnerability was found in MOVEit Transfer. Progress Software Corporation has issued guidance to organisations to help protect their MOVEit Transfer environment.
In order to protect personal data from malicious attacks, which may aim to extract, delete or edit personal data, data controllers and processors should:
- Disable all HTTP and HTTPs traffic to their MOVEit Transfer environment.
- Delete any instances of the file “human2.aspx” or any other “human2” files that have been created on their systems.
- Delete any unauthorised or unrecognised user accounts or files recently created.
- Apply the relevant patch which can be found at the above link.
- Perform an investigation to determine if their organisation had the vulnerability exploited – a complete list of steps to perform can be found again at the link above.
- Only then re-enable HTTP and HTTPS traffic to their MOVEit Transfer environment, once they are confident they have mitigated any potential compromise.
- Continue monitoring for compromise and known indicators of compromise from this vulnerability.
As a matter of good data protection practice, we advise regular vulnerability scans and maintaining a knowledge of vulnerabilities present within your organisation’s systems and applications. This can help speed up mitigation of these types of vulnerability. Our Accountability Framework outlines some of the steps you can take to assess your systems and applications.
Log4j incident (March 2022)
In December 2021, a vulnerability was found in Log4j. This is a popular open-source logging tool developed by the Apache Foundation and used in lots of software; from web applications to email clients.
NCSC have developed advice and guidance to ensure organisations who may be using affected software can protect their systems.
ICO advice for data controllers and processors
In order to protect personal data from malicious attacks, which may aim to extract, delete or edit personal data, data controllers and processors should:
- Update Log4j to the latest version (currently 2.17.1) as soon as possible.
- Regularly check and update your third-party software packages, ensuring any updates relevant to log4j are applied as soon as possible.
- Consider if the vulnerability is likely to pose a risk to personal data and cause detriment to individuals, particularly, when updates are not currently available. If it is likely to pose a risk, then there are steps that your organisation can take to mitigate the vulnerabilities prior to a third party providing an update.
If a vulnerable Log4j version is found to exist on your organisation’s network, we strongly recommend conducting an additional investigation to detect if there has been any malicious activity.
As a matter of good data protection practice, we advise regular vulnerability scans and maintaining a knowledge of vulnerabilities present within your organisation’s systems and applications. This can help speed up mitigation of these types of vulnerability. Our Accountability Framework outlines some of the steps you can take to assess your systems and applications.