The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

SolarWinds was the victim of a cyber-attack where a vulnerability was inserted into its Orion platform. Organisations using the compromised Orion platform could potentially have allowed an attacker to move into other parts of its IT Network and systems and breach personal data.

What should organisations do?

Organisations should immediately check whether they are using a version of the software that has been compromised. These are versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1.

SolarWinds has provided detailed instructions to allow its customers to determine what version of the Orion platform they are running and to enable them to upgrade and resolve the issue. Further details can be found on the SolarWinds website.

Organisations must also determine if the personal data they hold has been affected by the cyber-attack. If a reportable personal data breach is found, UK data controllers are required to inform the ICO within 72 hours of discovering the breach. Reports can be submitted online or organisations can call the ICO’s personal data breach helpline for advice on 0303 123 1113, option 2.

Organisations subject to the NIS Regulation will also need to determine if this incident has led to a “substantial impact on the provision’ of its digital services and report to the ICO.

The National Cyber Security Centre has published guidance for organisations seeking further advice.