The ICO has issued a statement confirming that organisations should immediately check to see whether they are potentially a victim of the cyber-attack carried out through the SolarWinds Orion IT management platform (see ICO statement). Initial technical research indicates that while the majority of potentially compromised users of Orion are based in the United States of America, there are significant numbers of users in the United Kingdom and EU.
The versions of the software that were compromised are 2019.4 HF 5, 2020.2 with no hotfix, and 2020.2 HF 1 (more information is available from the National Cyber Security Centre at this link). Businesses should immediately check whether they used the relevant versions and whether they were potentially compromised. Businesses should also ask questions of third party processors and sub-processors which process personal data on their behalf to identify whether they are, or were, using compromised versions of Orion.
If a business concludes that it has a reasonable degree of certainty that a security incident leading to the compromise of personal data has taken place, the usual reporting obligation for data controllers to notify the ICO (or other appropriate lead supervisory authority within the EU) within 72 hours of discovering the breach apply. Data processors which identify that they may have been compromised should comply with legal and any contractual obligations to notify their data controllers. Data controllers which identify that they are impacted should also consider whether they have an obligation to notify data subjects.
SolarWinds has stated that it believes that around 18,000 customers were affected. As with other similar supply chain attacks, it may be that a significant number of those customers are ‘collateral damage’, i.e. not the actual targets of the attack. In many cases, the vulnerability created by the attack on SolarWinds Orion may not have been exploited, but businesses should take appropriate immediate steps to identify if they used the relevant versions, and if so investigate whether there is evidence that there has been a personal data breach.
The key additional step potentially impacted businesses need to take is to remediate their risk if they were using compromised versions of Orion. The NCSC guidance (at link) sets out the immediate steps to take if compromised versions of Orion were, or are, in use. As explained here by colleagues (here), there is likely much more to come in relation to this incident. Potentially impacted businesses should closely monitor the situation as more information becomes available, and seek appropriate technical and legal advice.