Security Update Concerning OpenSSL Heartbleed
We take the security of your data very seriously at Illumina. As one of many safeguarding measures, BaseSpace uses encryption software to ensure the privacy and security of both your user login information and your sequencing data as it travels from Illumina’s sequencing instruments into our cloud environment.
Recently, a security threat with a common encryption library that is widely used by many websites (including BaseSpace) was found to have a major vulnerability in it. The security threat was published on April 7th, 2014 for the “OpenSSL” library (CVE-2014-0160 ) and quickly came to our attention. The vulnerability, nicknamed “Heartbleed”, had the potential to allow an attacker to steal private keys or other sensitive information that is normally encrypted via SSL. The nickname came about because of the way an attacker could gain access to a server’s memory through the “OpenSSL” specific heartbeat protocol.
Once we assessed the situation we quickly worked with our platform vendor and internal teams to ensure the following was completed:
- All affected servers were patched with the updated/non-affected version of OpenSSL. This was completed less than 24 hours after the announcement.
- All of our public facing SSL certificates were replaced. All of the old SSL certificates are now being revoked.
- All login sessions older than 24 hours were automatically invalidated.
We have no information that knowledge of this vulnerability was used against BaseSpace or its users. However, as with all websites that have updated their OpenSSL libraries, we encourage everyone to change their BaseSpace password. You should also check your notification history for any suspicious activity.
At BaseSpace, protecting your data is our top priority, and we continue to assess the risks in response to this issue. We have and will continue to work together with our infrastructure provider, Amazon Web Services, to ensure that all of our services respond quickly to security threats.
For further information about BaseSpace data security, please see our Data Security Technical Note. If you have any questions or concerns, please feel free to contact support.