The 19 July CrowdStrike software update that resulted in a global cyber crash, affecting critical services across various industries, including hospitals, airlines, and financial institutions, has had many people reviewing their privacy and cyber processes. Estimates currently stand at 8.5m computers affected - around 1% of Windows machines worldwide. Unprecedented in its size, the incident can serve as a reminder of many lessons for privacy and security teams:

  • The need to ensure that their organisation has strong change management policies and procedures in place. The CrowdStrike outage appears to have been caused by a software update defect (malfunction), and ideally sound development, testing, and quality assurance review and approval procedures would have detected any flaws before production deployment.
  • The importance of having formal backup policies and procedures, business continuity plans, and disaster recovery procedures. These should be current, approved by management, and periodically tested to provide for timely recovery of systems when unexpected events transpire.
  • As part of the change management processes, if it is not possible to have “staging” environments separate from production environments for testing, the production environment should be configured so that it has resilience against failures of groups of servers, and those groups of servers updated one at a time, with appropriate monitoring for potential failures. 
Additionally - understanding what constitutes a data breach - whenever assessing personal data impacting security incidents organisations should consider the local laws and whether the applicable data breach definition extends to the availability of the data - we know of at least one Supervisory Authority in Europe - the Garante in Italy which has confirmed in a statement that they are looking into the incident and resulting data breach reports.
 
HewardMills team has been monitoring the developments closely to assist our impacted clients in our external Data Protection Officer capacity and provide incident management support, where required.