"Hafnium" vulnerabilities in Microsoft Exchange: duty of notification and communication in accordance with the GDPR?

Stefan Hessel

The "Hafnium" Security Vulnerabilities

"Hafnium" is the umbrella term for multiple security vulnerabilities in Microsoft Exchange servers. Germany's Federal Office for Information Security (BSI) has been emphatically warning about these threats (only in German) since last week, as companies using unpatched Microsoft Exchange servers in a certain configuration may be vulnerable to attacks from the internet. The name "Hafnium" refers to a group of Chinese hackers which is credited with the attacks. According to Microsoft and BSI, the following Exchange server versions are affected if they are self-hosting, i.e. operated as on-premises systems, and accessible via the internet with untrustworthy connections to Port 443:

  • Exchange Server 2010 (RU 31 for Service Pack 3)
  • Exchange Server 2013 (CU 23)
  • Exchange Server 2016 (CU 19, CU 18)
  • Exchange Server 2019 (CU 8, CU 7)

More information about these threats and the measures which need to be taken can be found in the detailed information provided by BSI (only in German) and in the guidance from HiSolutions AG. The vulnerabilities are already being exploited, potentially giving attackers access to all the data on the server, including e-mail mailboxes and address books. The vulnerabilities can also be used to launch further attacks on companies, a threat which cannot be conclusively assessed at this time.

Overview: what the authorities are saying

What makes the present case unique is that it involves an especially critical vulnerability which is already being actively exploited. As can be seen from the overview below (download PDF here), some supervisory authorities, including the Bavarian Data Protection Authority and the Data Protection Commissioner of Lower Saxony (only in German), take the view that notification is required even if the system was not actually compromised, if updates were not installed on time.

Assessment in Data Protection Law

The idea that cyberattacks and IT security incidents and measures to handle such incidents could have legal consequences requiring a legal incident response is nothing new. However, the mere need to install a security update does not trigger a duty of notification or communication in accordance with Article 33 or 34 of the GDPR (only in German); at most, the controller would be required to document the incident in accordance with Article 33(5) of the GDPR (only in German). This documentation should be detailed enough to demonstrate that no data breach occurred or, in any case, that the incident did not create a risk to the rights and freedoms of natural persons. Along with documenting the incident, controllers should also secure all relevant evidence which may be useful to support the documentation or for other aspects of the legal handling of the incident (e.g. to enforce or defend against regression claims). If a risk cannot be ruled out, the competent data protection authority must be notified in accordance with Article 33(1) of the GDPR (only in German). In urgent cases, this notification must be made without undue delay, if possible within 72 hours of when the controller becomes aware of the data breach. If the notification is late, the controller is required to cite reasons for the delay. If there is a high risk as a result of the data breach, the data subjects must also be notified in accordance with Article 34(1) of the GDPR (only in German).

Based on these principles, the supervisory authorities are correct in stating that controllers are generally required to notify them if they find that the Exchange server has been compromised. However, it is not the case that merely being late to install updates would establish a duty of notification, as it is not evident in this case why this would create a legally relevant risk. In cases where a system is demonstrably compromised but no data leak has been discovered, a detailed individual check should be performed in order to clarify the extent to which the system was affected by the attack. Depending on the results of this check, a decision can then be made as to whether notification is required based on the above principles. In case of doubt, or in situations which do not allow for complete investigation or documentation, we would tend to recommend notifying the authority. On the other hand, notification of data subjects would only come into consideration in cases of high risk. This may be the case, for example, if there is a leak involving sensitive personal data, but an assessment is required in each individual case.

Recommendation

First, and most importantly: according to BSI (only in German), about 25,000 systems in Germany were still vulnerable as of 11 March The Bavarian Data Protection Authority has also reported that it has already identified vulnerable systems (PDF only in German) and contacted their operators. Accordingly, companies should take urgent action to ensure that security updates are properly installed, as well as checking the systems they use to determine if they are compromised, if they have not done so already. Companies should also check in each case whether they are required to notify an authority or communicate a data breach in accordance with the GDPR or another statute, such as the Telecommunications Act or the BSI Act. Regardless of the fact that the legal views expressed by the authorities in Bavaria and Lower Saxony are unconvincing, controllers who are subject to regulation by those authorities should nevertheless take into account the risk of failure to comply and consider a preventive notification.

The Cybersecurity & Data Protection team at reuschlaw Legal Consultants provides comprehensive advice in all legal questions relating to IT security. Should you require legal assistance in handling the "Hafnium" vulnerabilities, we would be glad to assist you.

[March 2021]