Microsoft Exchange security vulnerabilities

Companies must act immediately and may need to notify data protection authorities

According to information provided by Microsoft (continually updated blog post) and the German Federal Office for Information Security (BSI; Press Release; continually updated Cyber Security Warning, both only available in German), there are several critical security vulnerabilities in “on-premises” versions of Microsoft Exchange. There is an acute need for affected companies to take action. Attack risks exist if the server in question allows unprotected access to port 443 from the Internet (e.g. if Outlook Web Access can be used via the Internet; systems accessible only via VPN are presumably not affected).

These security vulnerabilities allow attackers to access the Exchange server, so that attackers cannot only view and control email accounts there, but can also install malware in systems and possibly penetrate additional systems. According to the BSI, there are already indications that attackers have also infiltrated ransomware into the systems of affected companies via these vulnerabilities, which can be used for subsequent extortionate encryption attacks.

According to Microsoft’s findings, the hacker group “Hanfium” initially exploited this security vulnerability, primarily targeting US research facilities focusing on the pandemic, universities and defence contractors. However, according to more recent reports from Microsoft, other attackers are now also exploiting these security vulnerabilities.

Microsoft has made available unscheduled patches and is supporting administrators with instructions and programs for checking systems. Information on this is summarised in Microsoft’s continually updated blog post. The BSI is also providing continually updated information (only available in German).

All companies that use the affected “on-premises” versions of Microsoft Exchange have an acute need to take action. The risk that further opportunistic attackers infiltrate affected systems has increased steadily since the vulnerability became known. Necessary measures must be implemented without delay.

Obligations under data protection law once a security vulnerability has become known

Companies are obliged – especially under data protection law – to eliminate such vulnerabilities without undue delay.

At least if a security vulnerability has been exploited, i.e. attackers have penetrated a company’s systems, businesses are normally also obliged to report such a “data breach” to the competent data protection supervisory authority within 72 hours of becoming aware of it, and, if there are high risks for data subjects (e.g. staff or customers whose data have been exposed or stolen), to notify these data subjects as well.

In the case of the Microsoft Exchange security vulnerability described above, some data protection authorities are even taking the position that the authority has to be notified in any case if the system was not patched by 9 March 2021, regardless of whether the specific system has been attacked or not. The extent to which these cases actually have to be reported is even disputed among the German supervisory authorities. In order to comply with any notification obligations and the independently existing accountability under data protection law, companies must intensively check their potentially affected systems, document these checks and conduct a legal assessment of their results with a view to any further steps that may be required. 

Additional information can be found here: Noerr Cyber Risk-Portal.