Disclosed in April 2014, Heartbleed is the vulnerability gift that keeps on giving to some -- and taking away from others. The latest example of this dynamic surfaced today when ICO, the UK's data regulator, levied a £100,000 fine against the Gloucester City Council for poor hygiene which resulted in the theft of employees personal information.
According to this article, the hackers took advantage of a software flaw in Gloucester City Council's website to download more than 30,000 emails from the council's mailboxes which contained financial and sensitive information about council staff.
ICO stated the hacker exploited the Heartbleed security bug within OpenSSL. But here's the problem for Gloucester City Council: a fixed version of OpenSSL was released on April 7, 2014, on the same day Heartbleed was publicly disclosed. The implication is that Gloucester and their IT outsourcing partner did nothing for months to patch the vulnerability -- even though a fix was readily available. Thus Heartbleed is taking £100,000 from the council more than 3 years after the fact.
ICO's report found that the council and it's IT outsourcing partner guilty of "serious oversight" which left staff's emails open to attack months after Heartbleed had been disclosed and patched. ICO's investigation found the council did not have sufficient open source governance controls to ensure that defective components are found and fixed as soon as possible whenever a zero day vulnerability is announced. Heartbleed, as a result, is giving £100,000 to ICO coffers.
Truth be told -- open source software components form the foundation for 80 - 90% of every modern software application. So, in order to prevent another zero day vulnerability like Heartbleed from wreaking havoc -- enteprises are embracing new types of tools to automate open source governance and actively managing how components flow through their software supply chains.