ICO urges UK companies using SolarWinds Orion to check for data breaches

The ICO has released a statement urging all UK companies using Orion, an IT system management platform, to determine if hackers were able to access personal data held by the companies.

“SolarWinds was the victim of a cyber-attack where a vulnerability was inserted into its Orion platform,” the ICO said. “Organisations using the compromised Orion platform could potentially have allowed an attacker to move into other parts of its IT Network and systems and breach personal data.”

Customers should determine if they are using any of the following compromised software: versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1. SolarWinds has provided instructions on how to determine your company’s version.

The UK watchdog says  customers should also check if any personal data they hold has been affected by the breach. If a reportable personal data breach is found, the ICO says, UK data controllers are “required to inform the ICO within 72 hours of discovering the breach.”

Additionally, UK customers subject to the NIS Regulation will also need to determine if the breach on SolarWinds’ platform “has led to a substantial impact on the provision of its digital services”.

The National Cyber Security Centre (NCSC) has also issued guidance on its website.

The NCSC states, “An attacker has been able to add a malicious, unauthorised modification to SolarWinds Orion products which allows them to send administrator-level commands to any affected installation.”

It adds, “There is evidence of the attacker using this capability in some cases to move from a single Orion server to other parts of the victim’s IT network.”

Reports can be submitted online, or organisations can call the ICO’s personal data breach helpline for advice on 0303 123 1113, option 2.