A few days ago it became known that Microsoft Exchange email servers are affected by vulnerabilities (see e.g. the announcements of the German BSI). In combination, these vulnerabilities could be used for attacks, which apparently occurred widely (Cancer on Security):
At least 30,000 organizations across the United States – including a significant number of small businesses, towns, cities and local governments – have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email softwareand has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.
Microsoft has on March 3 Security updates provided for the affected versions of the software. There is apparently a risk especially for Exchange servers accessible from the Internet (e.g. via Outlook Web Access), but also when using other services.
The Bavarian State Office for Data Protection has Need for action for Bavarian companies and in doing so also carried out an evaluation in terms of data protection law. It is introduced by the statement,
We are very concerned that despite urgent warnings by the security authorities and immediate assistance from Microsoft, vulnerable mail servers are still to be found on the network.
Therefore, the BayLDA sees the following obligations of the responsible parties concerned:
- The Installing the patches is mandatory according to Art. 32 GDPR;
- Responsible parties who have not yet done so “have an obligation to do so, regardless of further findings, in view of the extraordinarily increased security risk also due to the central function of Exchange servers in the communication system of companies. report the vulnerability as a protection breach within 72 hours”. This “ensures that further steps to restore the security of the overall system are carried out under the supervision of the BayLDA”;
- even if the patches have been applied, “all affected Review systems to ensure thatwhether they still provide the protection required by Article 32 of the GDPR”;
- “The extent to which, in some cases, there may even be a high risk to affected individuals and a Notification
of which is necessary according to Art. 34 of the GDPR, ultimately depends on the individual case. Here, an individual examination is
required by the companies’ own data protection officer.”
In conclusion:
Following the initial information provided to the companies, the BayLDA intends to further Test runs. In the event of breaches of the requirements of the General Data Protection Regulation, data controllers who fail to respond appropriately will then face supervisory proceedings, including fines.1