UK Privacy Watchdog Warns SolarWinds Victims To Report Data Breaches

United Kingdom’s Information Commissioner’s Office (ICO) has warned organizations that fell victim to the SolarWinds hack that they are required to report data breaches within three days after their discovery.

The UK independent authority urged organizations using compromised versions of the SolarWinds Orion IT management platform to check for evidence of attackers infiltrating their network and gaining access to personal information.

Those at risk of a breach should immediately check if the software version they use is one of the malicious builds used to deploy the Sunburst backdoor — i.e., versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1.

“If a reportable personal data breach is found, UK data controllers are required to inform the ICO within 72 hours of discovering the breach,”the data privacy watchdog said.

“Organizations subject to the NIS Regulation will also need to determine if this incident has led to a ‘substantial impact on the provision’ of its digital services and report to the ICO.”

Personal data breach reports can be submitted online via the ICO website or by calling ICO’s breach helpline for advice.

Also Read: Going Beyond DPO Meaning: Ever Heard Of Outsourced DPO?

SolarWinds hack and ongoing attacks

The UK National Cyber Security Centre (NCSC) has also issued guidance for organizations using SolarWinds Orion after the platform’s compromise was disclosed on December 13th, 2020.

Microsoft, FireEye, SolarWinds, and the U.S. government publicly disclosed the security breach in a coordinated report revealing that SolarWinds had been hacked by a nation-state threat actor believed to be APT29, a hacking group associated with the Russian Foreign Intelligence Service (SVR).

While Russia denied involvement in these attacks [1, 2], Secretary of State Mike Pompeo said in an interview that it is “pretty clear” that Russia was behind that attack.

“This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity,” Pompeo said.

However, security experts and researchers, including FireEye, Microsoft, or Volexity, have not yet attributed the SolarWinds supply chain attack to APT29.

SolarWinds hack victims

After the SolarWinds supply chain compromise was disclosed, several organizations revealed that they were breached including FireEye, Microsoft, and VMware.

Microsoft also discovered that over 40 of its customers were also breached, 80% of them located in the US and 44% in the IT sector.

At the moment, the list of confirmed victims also includes US states and government agencies including:

• U.S. Department of the Treasury
• U.S. National Telecommunications and Information Administration (NTIA)
• U.S. Department of State
• The National Institutes of Health (NIH) (Part of the U.S. Department of Health)
• U.S. Department of Homeland Security (DHS)
• U.S. Department of Energy (DOE)
• U.S. National Nuclear Security Administration (NNSA)
• Some US states (Specific states are undisclosed)

Also Read: How Formidable is Singapore Cybersecurity Masterplan 2020?

Cybersecurity firms have also shared lists of SolarWinds victims over the weekend after they successfully cracked the Sunburst malware’s domain generation algorithm (DGA).

The known list of organizations hit by the SolarWinds hackers has and will slowly increase as new information is revealed following ongoing investigations.