Tips for Handling the Heartbleed Bug


Last month, the world learned of the discovery of the "Heartbleed" bug, a software glitch leaving approximately two-thirds of the world's Internet servers vulnerable to potential hackers. This revelation sent online service providers (ISPs) and tech companies scrambling to evaluate and apply additional data security measures to protect online information.

Addressing the issue is an onerous task, requiring software patches, replacing compromised security certificates, re-setting passwords and other measures. While large organizations may have the resources to respond to such a significant security breach, many smaller ones do not, thus exposing their data and their customer's data to potential threats.

Heartbleed is not actually a virus, but a hole in the software — known as the OpenSSL — installed on a server to encrypt and prevent data from being intercepted. The vulnerability allows potential hackers to impersonate bank services or users, steal login credentials, access sensitive email or gain access to internal networks. Because OpenSSL is used by a wide variety of websites, e-mail servers, web servers, virtual private networks, instant messaging and other applications, the number of servers affected could be significant.

Fortunately, the same day Heartbleed was discovered, a fix became available and most major ISPs have already applied the simple software patch. However, even organizations without their own servers may still be vulnerable if they rely on online services and applications for their daily operations such as Dropbox, PayPal, Evernote or Facebook. As a result, cybersecurity specialists and officials are urging companies and individuals to take steps to secure their online accounts and assess whether they were exposed to any malicious activity.

Experts recommend that organizations take the following measures:

  • Conduct an internal security audit to identify and upgrade vulnerable internal systems and services, including devices like routers, network storage devices and other access points.
  • Apply the necessary security patches and test to ensure a secure configuration.
  • Once the patch is in place, change all passwords, beginning with sites containing the most sensitive personal or business information, such as banking and credit card sites and email and social media accounts.
  • Ensure third-party vendors that use OpenSSL on their systems are aware of the vulnerability and are taking the appropriate steps to mitigate the risk.
  • Be aware of phishing emails —a type of Internet fraud designed to steal identity. Security experts warn of phishing scams exploiting people’s fear of Heartbleed. The rule is “do not click on links in emails.” Instead, go directly to the specific websites to change passwords.
  • Do not re-use passwords.
  • Closely monitor accounts for suspicious activity over the next few months.
  • Reassure customers through a carefully worded email, blog post and/or special page on the company website of security measures taken to protect their information.  Assure them — assuming nothing to the contrary — that their data was not compromised.
  • Advise customers to change their passwords just to be safe.

Although Heartbleed presents a considerable security threat, organizations that have implemented comprehensive data security and privacy measures are better prepared to protect themselves and their customers.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomson Reuters Compliance Learning | Attorney Advertising

Written by:


Thomson Reuters Compliance Learning on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.