Micro­soft Exch­an­ge Ser­ver: Need for action for companies

A few days ago it beca­me known that Micro­soft Exch­an­ge email ser­vers are affec­ted by vul­nerabi­li­ties (see e.g. the announce­ments of the Ger­man BSI). In com­bi­na­ti­on, the­se vul­nerabi­li­ties could be used for attacks, which appar­ent­ly occur­red wide­ly (Can­cer on Secu­ri­ty):

At least 30,000 orga­nizati­ons across the United Sta­tes – inclu­ding a signi­fi­cant num­ber of small busi­nesses, towns, cities and local govern­ments – have over the past few days been hacked by an unusual­ly aggres­si­ve Chi­ne­se cyber espio­na­ge unit that’s focu­sed on ste­al­ing email from vic­tim orga­nizati­ons, mul­ti­ple sources tell Krebs­On­Se­cu­ri­ty. The espio­na­ge group is exploi­ting four new­ly-dis­co­ver­ed flaws in Micro­soft Exch­an­ge Ser­ver email soft­wareand has see­ded hundreds of thou­sands of vic­tim orga­nizati­ons world­wi­de with tools that give the attackers total, remo­te con­trol over affec­ted systems.

Micro­soft has on March 3 Secu­ri­ty updates pro­vi­ded for the affec­ted ver­si­ons of the soft­ware. The­re is appar­ent­ly a risk espe­ci­al­ly for Exch­an­ge ser­vers acce­s­si­ble from the Inter­net (e.g. via Out­look Web Access), but also when using other services.

The Bava­ri­an Sta­te Office for Data Pro­tec­tion has Need for action for Bava­ri­an com­pa­nies and in doing so also car­ri­ed out an eva­lua­ti­on in terms of data pro­tec­tion law. It is intro­du­ced by the statement,

We are very con­cer­ned that despi­te urgent war­nings by the secu­ri­ty aut­ho­ri­ties and imme­dia­te assi­stance from Micro­soft, vul­nerable mail ser­vers are still to be found on the network.

The­r­e­fo­re, the BayL­DA sees the fol­lo­wing obli­ga­ti­ons of the respon­si­ble par­ties concerned:

• The Instal­ling the patches is man­da­to­ry accor­ding to Art. 32 GDPR;
• Respon­si­ble par­ties who have not yet done so “have an obli­ga­ti­on to do so, regard­less of fur­ther fin­dings, in view of the extra­or­di­na­ri­ly increa­sed secu­ri­ty risk also due to the cen­tral func­tion of Exch­an­ge ser­vers in the com­mu­ni­ca­ti­on system of com­pa­nies. report the vul­nerabi­li­ty as a pro­tec­tion breach within 72 hours”. This “ensu­res that fur­ther steps to resto­re the secu­ri­ty of the over­all system are car­ri­ed out under the super­vi­si­on of the BayLDA”;
• even if the patches have been applied, “all affec­ted Review systems to ensu­re thatwhe­ther they still pro­vi­de the pro­tec­tion requi­red by Artic­le 32 of the GDPR”;
• “The ext­ent to which, in some cases, the­re may even be a high risk to affec­ted indi­vi­du­als and a Noti­fi­ca­ti­on
  of which is neces­sa­ry accor­ding to Art. 34 of the GDPR, ulti­m­ate­ly depends on the indi­vi­du­al case. Here, an indi­vi­du­al exami­na­ti­on is
  requi­red by the com­pa­nies’ own data pro­tec­tion officer.”

In con­clu­si­on:

Fol­lo­wing the initi­al infor­ma­ti­on pro­vi­ded to the com­pa­nies, the BayL­DA intends to fur­ther Test runs. In the event of brea­ches of the requi­re­ments of the Gene­ral Data Pro­tec­tion Regu­la­ti­on, data con­trol­lers who fail to respond appro­pria­te­ly will then face super­vi­so­ry pro­ce­e­dings, inclu­ding fines.1