The UK data privacy watchdog, the Information Commissioner’s Office (ICO), is warning businesses that were potentially breached through a compromised SolarWinds Orion patch that they are obliged to report the incident within three days of its discovery.
In a statement published on the ICO website, the regulator stated that all businesses that used the compromised version of the Orion IT management platform must look for proof of potential network infiltration.
The affected versions are: 2019.4 HF 5, 2020.2 HF 1 and 2020.2 with no hotfix.
“If a reportable personal data breach is found, UK data controllers are required to inform the ICO within 72 hours of discovering the breach,” the ICO explained.
“Organizations subject to the NIS Regulation will also need to determine if this incident has led to a ‘substantial impact on the provision’ of its digital services and report to the ICO.”
The SolarWinds data breach was first spotted by cybersecurity experts at FireEye. While at first it was thought that the final goal was to compromise US government agencies, it appears tech companies were the hardest hit.
The complexity and the creativity of the attack has led experts to conclude that a state-sponsored hacking group was behind the endeavor. The US government has pointed fingers at Russia, but the country has denied any involvement.
Whoever was behind the attack first made their way into SolarWinds’ infrastructure, and used this access to drop malicious code into an upcoming patch for its Orion program. It was said that approximately 18,000 businesses downloaded the compromised patch.