On 5 March 2021, the German Federal Office for Information Security (BSI) informed in a press release that tens of thousands of Microsoft Exchange Servers in Germany are most likely infected with malware. The background to this are four vulnerabilities in the software, for which Microsoft had provided security updates on 3 March.
Warning by the Federal Office for Information Security (BSI)
The BSI assumes that Exchange servers that did not have the security update installed on 5 March have been compromised. Exploitation of the security vulnerabilities can lead to access to email accounts and the installation of malware. The BSI has provided extensive information and recommendations for action on its website.
Is there a notification obligation according to Art. 33 GDPR?
There is an obligation for companies and entrepreneurs to report personal data breaches according to Article 33 of the General Data Protection Regulation (GDPR). This notification must be received without delay and, if possible, within 72 hours of becoming aware of it.
The LfD of Lower Saxony is of the legal opinion that in every case of a compromise of the exchange server as well as an untimely update, a report must be submittedto the competent supervisory authority.
The Bavarian State Office for Data Protection Supervision and the North Rhine-Westphalian State Commissioner for Data Protection and Freedom of Information, on the other hand, are of the opinion that a report is only necessary if there is evidence of a data leak or unauthorised manipulation of personal data or if it cannot be ruled out with sufficient certainty that personal data has been tapped from or manipulated in the system.
The supervisory authorities are therefore not in agreement. If you are affected, you should discuss how to react with your data protection officer / data protection advisor.
Do the data subjects have to be notified according to Art. 34 GDPR?
The notification to the supervisory authority must describe in detail which measures have been or will be taken by the responsible party (company/entrepreneur). In doing so, the recommendations for action of the BSI and Microsoft must be consulted and it must be explained which of these measures have already been implemented and with what results. If measures have not yet been implemented at the time of the report, but are planned, they must be described and the planned time of their implementation. In the event of a compromise, you must also check whether the data subjects are to be notified of the breach of their personal data pursuant to Art. 34 GDPR. This decision should also only be made after consultation with your data protection officer.
Violations of Art. 33 of the GDPR may be punished with a fine pursuant to Art. 83 (4) of the GDPR.
The Bavarian State Office for Data Protection Supervision has provided FAQs on the security vulnerabilities in Microsoft Exchange mail servers and also provides assistance on what to do from a technical point of view.
Source: Communication of the LfD Lower Saxony of 10.03.2021; communication of the LDI NRW; practical help of the BayLDA;
If your Exchange server is affected, we will be happy to assist you, regardless of whether one of our lawyers is acting as an external data protection officer for your company.
With kind regards
Attorney at Law Michael Ullrich, LL.M. (Information Law)
Specialist lawyer for industrial property protection
Specialist lawyer for information technology law
