Britain’s Internet regulator, the Information Commissioner’s Office (ICO), has fined the city council of Gloucester with £100,000 ($125,000) after local authorities failed to apply a security update for almost three months.
The incident took place back in 2014 when the council’s IT staff didn’t patch servers against Heartbleed, a vulnerability in OpenSSL that allowed attackers to bombard the server with requests and recover fragments of its memory.
Anonymous hacked council’s email server
The unpatched server didn’t go unnoticed, and the issue was exploited by hackers part of the Anonymous collective, who stole more than 30,000 emails from the council’s email server, affecting between 30 and 40 staff members.
After the hack, council IT staff patched the flaw, but by that time, the damage had already been done. The ICO started investigating the incident following the attack.
In a report published last week, the ICO announced the fine, concluding that the city’s IT staff failed in applying a patch that has been made freely available, and was publicly promoted in the security industry.
It took city IT staffers three months to patch affected servers
In particular, Gloucester did not have a process in place to ensure that during outsourcing of its IT services, the patch for the Heartbleed flaw was applied at the appropriate time. This was an ongoing contravention from 8 April 2014 when a patch for the affected software was available, until Gloucester took remedial action on 22 Jule 2014.
The UK regulator appears to be miffed by Gloucester’s slow response time, especially after the ICO itself published a blog post on the matter on May 13, 2014, named “Heartbleed and the importance of encrypting internet traffic.”
Gloucester officials said they’re considering an appeal in the hopes of a smaller punishment. The fine will have an impact on local city finances since the council will have to delay various projects or forswear various planned expenses to pay the ICO.