U.S. financial regulators have urged banks using the Open SSL software, which exposes data to hackers, to take steps to protect themselves by upgrading the software as soon as possible.
Coding defects which have been given the name the “Heartbleed Bug” have been found in versions of Open SSL software which were originally released in March 2012. The defects could allow a hacker to decrypt, spoof, or perform attacks on network communications that would otherwise be protected by encryption. A patch for the bug has already been developed and implemented by many affected websites. Users of affected websites are being advised to change their passwords.
It is not only banks which are affected by the Heartbleed Bug. Websites within the Tech, Media and Telecoms sectors have also been affected.
Particularly worrying is the fact that the Heartbleed Bug allows a hacker to attack and steal information from a system without leaving a trace in the target's logs, making it impossible to determine how many, and which, computers have been compromised.
All companies using Open SSL software will now need to assess where they use the software and, where applicable, install an update to patch the problem. Whether this remediation will take place fast enough, particularly on sites operated by smaller e-commerce companies and other businesses with more limited resources, before hackers identify and exploit unprotected systems, remains to be seen.
The bug is also sure to instigate a critical assessment of the use of open source software by e-businesses and could also potentially result in customers of targeted sites seeking to bring claims against online businesses for failing to protect them from the effects of the bug. At Eversheds, we have been advising on the legal issues of using open source software for many years.