Blog: Vulnerability Disclosure

ICO makes a mockery of disclosure

Ken Munro 23 Jul 2014

If there’s one thing the security sector has tried to promote over recent years it’s prompt disclosure. Sit on a breach and you can expect the situation to worsen, cost you customers, and even ripple out across industry unchecked. Alert others to your pain and you’re more likely to reduce the harmful effects and are, of course, less likely to incur the wrath of the regulator.

The ICO has championed transparency and disclosure reporting. It’s compulsory for some communications providers to report personal data breaches within 24 hours, for example. So the vehement refusal by the regulator to disclose a “non-trival data security incident” last week raised a few eyebrows.

The breach occurred at some point during the past year and was sufficient to warrant a full-scale internal investigation but other than that we were assured there was nothing to see here. Christopher Graham’s lips remained sealed and he issued a churlish instruction to the naturally curious at The Times to file a FOIA request.

Lost time

Breaches suffered and subsequently sat upon by eBay, Sony and Target have all proved how catastrophic tardiness can be. Back in 2011 Sony took seven days to inform its users when the Playstation network was hacked while the Target hack was not reported for 12 days.

eBay tops the charts, however, delaying disclosure by three months and angering end users whose personal data had been at risk during this time. Prompt disclosure would have reduced the exposure of this data and protected the brand which has suffered since, with the sales outlook for Q314 falling short of expectations and the online auction site reportedly struggling to attract new users.

The FOIA may shed more light on the ICO breach but in many respects the damage has already been done. The regulator has shown the kind of hypocritical elitism that should never be seen in an independent authority. The assumption is that it need not observe its own advice. And by refusing to cooperate, it’s doing a very good job of putting us back in the dark ages of deniability.

Knowledge is power

Transparency is a policy that works. We recently worked with Her Majesty’s Treasury, the Financial Conduct Authority, and the Bank of England to help create the CBEST framework, a new standard which places intelligence and incident response at the very heart of cyber security in the City, effectively creating an early warning system for the entire financial district.

Or perhaps we should abandon such cooperative strategies? Take a leaf out of the ICO’s book of bad practise, batten down the hatches and hope for the best? But wait. Haven’t we been here before?

Back in March we revealed that the ICO had been knowingly sitting on a cross site scripting error on its website for, wait for it, five years. Meanwhile, it was busy levying fines against other organisations for website vulnerabilities – up to the tune of £200,000 in one case.

So perhaps we shouldn’t be surprised by the impunity enjoyed by the ICO. But we should be disappointed and I for one would like a regulator that adopts its own advice and leads by example.