The Data Protection Commissioner (DPC) has issued guidance to data controllers following information that has now emerged regarding the discovery of the serious IT security vulnerabilities known by the names Meltdown and Spectre.
The DPC advises data controllers to check with their system manufacturers and providers, as well as their cloud service providers, regarding these vulnerabilities and to apply any security, hardware and software patches as soon as they become available. Controllers are also advised to ensure that their hardware firmware is up to date.
More generally, controllers are advised to ensure that they have regular, consistent and comprehensive patch management procedures in place. The DPC advises that “it is good practice to install software/hardware patches within a test environment to ensure that these patches will function correctly within a live environment and do not cause further potential issues.”
The Meltdown and Spectre CPU flaws combined affect virtually all computers and other IT hardware including laptops, tablets and phones. The vulnerabilities appear to provide a means by which malicious software may be able to read otherwise protected memory on a computer system. This could be exploited by hackers to gain widespread access to data on the computer system, including sensitive data, passwords and encryption keys.
The flaws were reportedly first discovered in June 2017 but only made public in January 2018. One of the researchers who discovered the flaws described Meltdown in particular as being “probably one of the worst CPU bugs ever found.” It is not known whether hackers have already exploited the flaws and it is understood to be very difficult to detect such intrusions.
Contributed by: David Cullen