Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Bourne Again shell (BASH) vulnerability

30 September 2014

Businesses and government agencies are urged to protect their IT systems against the Bourne Again Shell (BASH) vulnerability that could allow unauthorised users to access and manipulate their systems, including systems that hold personal information. The identified vulnerability affects many Unix-based operating systems including Linux and MacOSX, in particular those that host internet-facing services such as a website.

The Office of the Australian Information Commissioner (OAIC) reminds all entities covered by the Privacy Act 1988 (Privacy Act) that they must take reasonable steps to protect the personal information they hold. These obligations include regularly monitoring the operation and effectiveness of ICT security measures to ensure they remain responsive to changing threats, vulnerabilities and other issues that may impact the security of personal information. Where a vulnerability has been identified, patches and software upgrades should be rolled-out as soon as possible.

Australia’s Computer Emergency Response Team, CERT Australia, has issued an advisory regarding the critical vulnerability in the BASH software. CERT Australia advises that the most important action businesses can take is to monitor and to act in accordance with advice from vendors, including the installation of priority software updates. CERT Australia also advises that businesses check the CERT Australia website for any significant updates.

For further information on the BASH vulnerability: businesses should see the CERT Australia website; Australian Government agencies should see the Australian Signals Directorate website; individuals and small businesses are encouraged to visit Stay Smart Online.

Businesses and government agencies should also refer to the OAIC’s Guide to information security (April 2013). The Guide to information Security provides guidance on the reasonable steps entities are required to take under the Privacy Act to protect the personal information they hold. It also includes a list of resources on information security for businesses and government agencies.

Timothy Pilgrim — Australian Privacy Commissioner