Heartbleed too big to investigate: Privacy Commissioner
The OpenSSL vulnerability known as Heartbleed is so widespread that Australia's Privacy Commissioner Timothy Pilgrim has said that his office will not be investigating organisations vulnerable to Heartbleed, unless there are allegations that private information has been taken.
Since the public disclosure of the OpenSSL Heartbleed vulnerability on April 8, hundreds of thousands — if not millions — of organisations have been forced to patch their software, and re-issue SSL certificates in order to ensure that sensitive data cannot be extracted from their servers using the vulnerability.
Australia has already seen its share of companies forced to patch their servers, including the Commonwealth Bank, JB Hi-Fi, the Australian government's Computer Emergency Response Team, and GE Money customers including Myer and Coles.
Organisations that delay patching their servers not only risk losing customer information, but will also be targeted by the Privacy Commissioner under new 13 Australian Privacy Principles that came into force in March.
The Office of the Australian Information Commissioner put out a statement on Friday last week outlining that Australian organisations covered by the Privacy Act must ensure they are taking reasonable steps to protect personal information, and this includes patching vulnerabilities as soon as possible, and then encouraging users to change their passwords.
Organisations may not know if any private data had been taken before the patch was implemented, and some may not be informing customers that they were vulnerable to Heartbleed at all.
Australian Privacy Commissioner Tim Pilgrim told a Communications Alliance event in Sydney yesterday that due to the reach of the vulnerability, he had no intention of investigating businesses affected until allegations come up about specific privacy breaches.
"The Heartbleed issue is obviously an extraordinarily complex one for all of us to be dealing with," he said.
"At this point in time we won't be going out and undertaking an assessment or an investigation at the moment randomly of any particular organisation because of the sheer volume of organisations that have been impacted by this particular issue.
"What we would be looking to do is to see if a matter does come up, and there is an allegation that someone's personal information has been lost from either an organisation or a government agency, we would then look at what steps that organisation or agency has taken to secure that information once having known this vulnerability was there."
He said his office would assess whether an organisation acted to patch it in a timely way, whether it was aware of information leakage, and whether a risk assessment was done to see what harm that would cause individuals. If there was the liklihood of harm, Pilgrim said he would also investigate what steps were taken to advise those individuals.
But he said it would be very difficult to target any one company or government agency right now.
"It would be very difficult to go into one organisation at a particular time over another to check, but should anything come to our attention we would then start to look at them in terms of our investigation," he said.
Overnight a 19-year-old man in Ontario, Canada was arrested and charged over allegations he exploited the Heartbleed vulnerability to obtain 900 social insurance numbers from the Canada Revenue Agency before the agency had been able to patch its servers last weekend.
The Royal Canadian Mounted Police (RCMP) said he faces one count of unauthorised use of computer, and one count of mischief in relation to data contrary to Sections 342.1(1)(a), and 430(1.1) of the Criminal Code.
The police were able to find Stephen Arthuro Solis-Reyes in just four days.
"The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible. Investigators from National Division, along with our counterparts in 'O' Division have been working tirelessly over the last four days analysing data, following leads, conducting interviews, obtaining and executing legal authorisations and liaising with our partners," Assistant Commissioner Gilles Michaud said in a statement.
Solis-Reyes' computer was seized, and he is scheduled to appear in court on July 17, 2014.