The bug itself may be called “Heartbleed,” but what should really get your blood pumping is the potential loss of personally identifiable information (PII), including credit card info and passwords.
The bug, which has been on the Internet undetected for roughly two years, does not attack individual websites or companies like recent hacks into the systems of Target, Mt. Gox, and others. Instead, Heartbleed exploits a flaw in the code that is designed to keep servers secure.
That means that, this time, tens of thousands of servers that house data for thousands of websites could be affected by this bug. In essence, all Internet users who conduct business transactions or even have passwords saved on websites could be affected by this bug.
Finnish security firm Codenomicon, which helped discover the bug, says that this could be one of the worst invasions of privacy in Internet history. “This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content,” the firm said. “This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
The firm said that it tested the exploitable code on its own servers, and it was able to enter and leave without a trace. Those who made the popular code, Open SSL, has released a fixed version that does not have this vulnerability, although widespread adoption may take some time. In one key instance, Yahoo confirmed to Reuters that Yahoo Mail was vulnerable to the bug, but a spokesman said all major Yahoo sites have been patched since the bug’s discovery.
It’s currently unclear whether the security bug has been exploited on a widespread basis. As Lindsey Bever of the Washington Post writes, “It’s as if someone went on vacation not knowing the lock on the front door was broken. Could someone walk in? Yes. Will they? Did they? Who knows?”
For in-house counsel, the most important move will be to consult with IT and other technology experts within the company to determine whether the company’s private information is at risk. If so, make sure your company’s information is secure as quickly as possible, and consult with the IT department to attempt to determine the level of your company’s overall vulnerability.
For more data security news, check out these recent InsideCounsel articles: