Cloudflare, which operates a widely used web content delivery network, announced a security bug on February 23 that caused sensitive data to leak from its customers’ websites.  The exact number of websites potentially affected is unknown but some estimates place the total in excess of 5 million. The Google security researcher who discovered the bug – nicknaming it “Cloudbleed” after the 2014 Heartbleed bug – reported it to Cloudflare on February 18, 2017.  Cloudflare disabled the compromised software and stopped the leak later the same day.

The leaked data reportedly included passwords, private messages, encryption keys, session cookies that would let an attacker log into an account without a password, IP addresses and other data.  Leaked data was exposed to search engine crawlers, which began to automatically cache the data, thus complicating remediation.

As of this writing there have been no publicized reports that leaked data has been exploited and Cloudflare has published analysis concluding that the vast majority of its customers probably were not affected.  However, operators of millions of websites and their users are left to wonder whether they were affected and what they should do next.

Below is a summary of what we know now and our thoughts on next steps.

Data protection and privacy issues frequently intersect with other areas of the law. In addition to the Data Protection Report, Norton Rose Fulbright publishes other blogs covering important legal developments across the globe. These blogs sometimes touch on issues

With infrastructure cybersecurity becoming a growing concern for businesses globally, it is not surprising that yet another industry association – the International Association of Drilling Contractors (“IADC”) – has issued cybersecurity guidelines for its members.  IADC’s Guidelines for Assessing and Managing Cybersecurity Risks to Drilling Assets address the cyber risks affecting the “digital oilfield” – including wireless offshore technologies and automated drilling assets and drilling control systems.