Office of the Privacy Commissioner | Heartbleed advisory note
Researchers have discovered an internet vulnerability named Heartbleed. Until it is fixed, Heartbleed will make OpenSSL encrypted connections, which secure much of the internet’s information flows, insecure. New Zealand website owners should check their servers urgently and patch them if required.
Individuals should wait until servers are patched before changing their passwords, but should be prepared to change them within the next day or so. Adding second factor authentication, where available, will also improve security.
Principle 5 of the Privacy Act (or relevant privacy codes of practice) requires that reasonable steps to secure information be taken if you hold personal information. If your website is affected by Heartbleed and you are not taking steps to remedy this, then you are unlikely to be meeting your obligations under the Act.
If your servers were vulnerable and you have patched them, consider contacting your customers to prompt them to change passwords.
Further information on fixing the vulnerability can be found at the New Zealand Internet Task Force’s website.
There is also helpful information on the Netsafe website.