ICO urges patching to fix Meltdown and Spectre vulnerabilities, despite performance hit

Fail to patch at your own risk

The Information Commissioner's Office (ICO) has advised companies to patch their systems to prevent the Meltdown and Spectre bugs from being exploited, despite any potential performance loss.

Spectre and Meltdown are vulnerabilities in chips from Intel, ARM, AMD and other vendors that potentially enable attackers to extract information from locations that should be inaccessible. They can also leverage the flaws in one virtual machine to steal information stored in another, via the cloud.

In a new blog post, the ICO says that failing to patch known vulnerabilities could lead to harsher fines under the seventh principle of the extant Data Protection Act, as well as the upcoming GDPR:

‘We...strongly recommend that organisations determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency. Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty. And, under the General Data Protection Regulation taking effect from May 25 this year, there may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.'

Early reports warned that a performance drop of more than a third could be expected by some users when applying a fix for the vulnerability. Although Intel has since stated that the ‘average user' should not be affected, companies are likely to see some performance loss. The ICO encourages patches to be applied regardless of this (and we agree - a performance hit will be the least of your problems if you suffer a breach).

In addition, some antivirus solutions could be incompatible with patches being issued by vendors; Microsoft has released a support notice with more information.