IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

ICO warns businesses of Windows XP deadline

Organisations need to put measures in place to protect data or risk huge fines, the ICO says

Data breach

The ICO has warned businesses that still use Windows XP they must take responsibility to protect data as support for the aging operating system ends on 8 April.

PCs running Microsoft's Windows XP and Microsoft Office 2003 will continue to operate, but will no longer be updated to fix security flaws when Microsoft ends support for the products next Tuesday.

The ICO has said the systems, and the personal data stored within it, could potentially be vulnerable, and therefore it is the duty of IT managers to ensure that measures are in place to keep data safe.

Importantly, if an organisation fails to spot problems with its software that led to a serious breach of the Data Protection Act, they could incur huge fines. One organisation, the British Pregnancy and Advisory Service, was hit with a six-figure fine on the 10 March after the names, contact details and addresses of 10,000 people were leaked because holes in its IT systems.

Microsoft's XP operating system is still being used by millions, despite the imminent discontinuation of support, which has been planned for six years. Almost 28 per cent of desktop users are still using XP, according to data site netmarketshare.com.

This week, the UK Government managed to secure an extra 12 months of support from Microsoft to accommodate the public sector organisations still running XP at the cost of 5.548m.

The data protection watchdog, which upholds information rights in the public interest, said problems will get worse over time as more vulnerabilities are gradually discovered, leading to more "opportunities for an attacker to exploit and potentially gain unauthorised access to systems".

The ICO's technology group manager Dr Simon Rice noted that it is important to remember organisations regularly end support for their older products.

"As a responsible data controller, it is your organisation's responsibility to make sure you have the measures in place to keep people's details safe," he said.

"Anyone using either of these two products must consider their options and ensure that personal data is not unduly placed at risk. Failure to do so will leave your organisation's network increasingly vulnerable over time and increases the risk of a serious data breach that your actions could have prevented."

Rice offered some advice for businesses to help protect their systems as the switch-off date nears.

For small businesses, he said, checking for updates that need to be regularly applied to desktop and laptop operating systems should be relatively simple.

For more complex work environments, tests may need to be done to ensure the updates are compatible with the existing infrastructure. And where businesses cannot apply an update, they may need to put additional measures in place to "mitigate the risk".

Although the ICO did not explicitly recommend upgrading to new systems, vendors, including Microsoft, Toshiba and Lenovo, have been offering cut-price packages to entice businesses to upgrade their IT infrastructures.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

ICO crackdown on AI recruitment part of three-year vision to save businesses £100 million
data protection

ICO crackdown on AI recruitment part of three-year vision to save businesses £100 million

14 Jul 2022
The public sector will no longer face eye-watering data breach fines, ICO confirms
public sector

The public sector will no longer face eye-watering data breach fines, ICO confirms

1 Jul 2022
MoJ faces £17.5m GDPR fine over subject access request backlog
data protection

MoJ faces £17.5m GDPR fine over subject access request backlog

20 Jan 2022
Cabinet Office fined £500,000 for New Year Honours data leak
data breaches

Cabinet Office fined £500,000 for New Year Honours data leak

3 Dec 2021

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
Electrical explosion reported at Google's Iowa data centre
data centres

Electrical explosion reported at Google's Iowa data centre

9 Aug 2022