Last week it was revealed that hackers have gained access to several US government departments by hijacking software from SolarWinds, a Texas-based IT group that supplies networks-monitoring tools for organisations in both the public and private sectors. SolarWinds’ products are also used by several think-tanks and cyber security firms, including the US public cybersecurity firm FireEye.

How has the cyber-attack impacted the UK?

Whilst most of the victims of the cyber-attack may be based in the US, the National Cyber Security Centre (NCSC) has recognised that the incident does have global reach. The NCSC has published actionable guidance on how to mitigate the impact of the attack for users of the SolarWinds Orion platform.

The ICO’s statement today also stresses that the incident could mean that some of the victims of the SolarWinds cyber-attach have suffered a data breach. Under GDPR, UK organisations are required to inform the ICO within 72 hours of discovering a data breach. Organisations regulated by the Network and Information Systems Regulations 2018 may also need to notify.

What should you do?

The statements of both the NCSC and ICO should help organisations identify whether they may have been affected by the incident. We recommend that businesses review their cybersecurity supply chain and identify whether the relevant version of SolarWinds Orion has been used. If so, organisations should follow the steps recommended by the NCSC and engage both their IT team and legal advisors to ascertain whether a data breach has occurred.

This article was written by Yunzhe Zhang