Shellshock flaw and obligations under the Privacy Act

September 30, 2014 |

The Shellshock flaw has sent more than a ripple through the IT industry. There is a data protection regulation issue involved as well.  The genesis of the problem is a flaw in longstanding software, Bash, which was first installed in 1989.  Given the software enables users to issue commands to computers an exploitable weakness is of particular concern.  Exploitable flaws in ubiquitous software which is now part of the structure of many operating systems pose immediate cyber security threats and require immediate response when detected.  The Age in  Shellshock: The latest security superbug explained provides an exellent explanation.  In addition there has been coverage at Shellshock flaw ‘intertwined’ with modern internet, may affect some Mac usersShellshock: How to protect your Unix, Linux and Mac servers,  Shellshock makes Heartbleed look insignificant and Shellshock flaw ‘intertwined’ with modern internet, may affect some Mac users.

The seriousness of the threat has prompted the Information Commissioner’s Office in the United Kingdom to issue a release under the heading ICO highlights need to apply security updates after Shellshock flaw discovered which provides:

The Information Commissioner’s Office is urging organisations and individuals to make sure that their IT systems are up-to-date.

The warning comes after the identification of a flaw, referred to by the researchers who discovered it as Shellshock, which has been found in a software component called Bash. Bash is a part of many Linux systems, as well as the OS X operating system used by Apple Macs. The flaw potentially allows any computer with the vulnerability to be taken control of remotely.

Security updates are currently being rolled out to fix this problem and it is important that those vulnerable to the flaw apply any available updates as soon as practically possible. 

ICO spokesperson said:

“This flaw could be allowing criminals to access personal data held on computers or other devices. For businesses, that should be ringing real alarm bells, because they have legal obligations to keep personal information secure. The worst thing would be to think this issue sounds too complicated – businesses need to be aware of this flaw and need to be monitoring what they can do to address it. Ignoring the problem could leave them open to a serious data breach and ultimately, enforcement action.

“And for people who are concerned their personal information could be at risk on their own devices, the message is clear. Don’t think this all sounds too complicated. Security updates are currently being rolled out – don’t ignore them, but make sure you apply them as soon as practically possible.” 

The Age reports in Top regulators warn banks over ‘Shellshock’ bug as Apple and Oracle prepare patches  that the Federal Financial Institutions Examinations Council  has issued warnings to banks to update their systems that use Bash.   There has been no statement, as yet, from the Privacy Commissioner.

The relevant Australian Privacy Principle is APP 11.1, relating to Data Security.  It relevantly provides:

11.1 If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:

  1. from misuse, interference and loss; and
  2. from unauthorised access, modification or disclosure.

The guidelines for APP 11 what relevant steps are required provide:

11.7 The ‘reasonable steps’ that an APP entity should take to ensure the security of personal information will depend upon circumstances that include:

  • the amount and sensitivity of the personal information. More rigorous steps may be required as the quantity of personal information increases, or if the information is ‘sensitive information’ (defined in s 6(1) and discussed in Chapter B (Key concepts)) or other personal information of a sensitive nature
  • the nature of the entity. Relevant considerations include an entity’s size, resources and its business model. For example, the reasonable steps expected of an entity that operates through franchises or dealerships, or gives database and network access to contractors, may differ from the reasonable steps required of a centralised entity
  • the possible adverse consequences for an individual. More rigorous steps may be required as the risk of adversity increases
  • the entity’s information handling practices, such as how it collects, uses and stores personal information. This includes whether personal information handling practices are outsourced to third parties, and whether those third parties are subject to the Privacy Act. If a third party is not subject to the Privacy Act, it may be reasonable for the entity to take steps to ensure the third party meets the entity’s obligations under the Privacy Act, for example through specific privacy obligations in contracts and mechanisms to ensure these are being fulfilled
  • the practicability, including time and cost involved. However an entity is not excused from taking particular steps to protect information by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take particular steps will depend on whether the burden is excessive in all the circumstances
  • whether a security measure is in itself privacy invasive. For example, while an APP entity should ensure that an individual is authorised to access information, it should not require an individual to supply more information than is necessary to identify themselves when dealing with the entity (see also Chapter 12 (APP 12)).

11.8 Reasonable steps could including taking steps and implementing strategies to manage the following:

  • governance
  • ICT security
  • data breaches
  • physical security
  • personnel security and training
  • workplace policies
  • the information life cycle
  • standards
  • regular monitoring and review.

Organisations, particularly large ones who hold sensitive information, clearly need to take steps to apply patches and determine what if any threat to their data exists. There is sufficient publicity to know that hackers are alive to the weakness.  The fact that an organisation was not aware of the flaw, as all were not until recently, does not provide an explanation for a failure to take steps to deal with the problem where a solution exists.

And there are real issues of attackers searching for weaknesses as Zdnet reports in Attackers scan for Shellshock Bash targets and reportage of actual attacks by itnews in First Shellshock botnet attacks Akamai, US DoD networks.

One issue in the event of a major data breach is what steps were taken.  It is possible that remedial action may not be effective, as reported in Patched systems remain vulnerable.   Doing nothing is not an option.






One Response to “Shellshock flaw and obligations under the Privacy Act”

  1. Shellshock flaw and obligations under the Privacy Act | Australian Law Blogs

    […] Shellshock flaw and obligations under the Privacy Act […]

Leave a Reply