“Haf­ni­um” vul­nerabi­li­ties in Micro­soft Exch­an­ge: duty of noti­fi­ca­ti­on and com­mu­ni­ca­ti­on in accordance with the GDPR?

The “Haf­ni­um” Secu­ri­ty Vulnerabilities

“Haf­ni­um” is the umbrel­la term for mul­ti­ple secu­ri­ty vul­nerabi­li­ties in Micro­soft Exch­an­ge ser­vers. Germany’s Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI) has been empha­ti­cal­ly war­ning about the­se thre­ats (only in Ger­man) sin­ce last week, as com­pa­nies using unpatched Micro­soft Exch­an­ge ser­vers in a cer­tain con­fi­gu­ra­ti­on may be vul­nerable to attacks from the inter­net. The name “Haf­ni­um” refers to a group of Chi­ne­se hackers which is cre­di­ted with the attacks. Accor­ding to Micro­soft and BSI, the fol­lo­wing Exch­an­ge ser­ver ver­si­ons are affec­ted if they are self-hosting, i.e. ope­ra­ted as on-premises sys­tems, and acces­si­ble via the inter­net with untrust­wor­t­hy con­nec­tions to Port 443:

  • Exch­an­ge Ser­ver 2010 (RU 31 for Ser­vice Pack 3)
  • Exch­an­ge Ser­ver 2013 (CU 23)
  • Exch­an­ge Ser­ver 2016 (CU 19, CU 18)
  • Exch­an­ge Ser­ver 2019 (CU 8, CU 7)

More infor­ma­ti­on about the­se thre­ats and the mea­su­res which need to be taken can be found in the detail­ed infor­ma­ti­on pro­vi­ded by BSI (only in Ger­man) and in the gui­dance from HiSo­lu­ti­ons AG. The vul­nerabi­li­ties are alre­a­dy being exploi­ted, poten­ti­al­ly giving atta­ckers access to all the data on the ser­ver, inclu­ding e‑mail mail­bo­xes and address books. The vul­nerabi­li­ties can also be used to launch fur­ther attacks on com­pa­nies, a thre­at which can­not be con­clu­si­ve­ly asses­sed at this time.

Over­view: what the aut­ho­ri­ties are saying

What makes the pre­sent case uni­que is that it invol­ves an espe­ci­al­ly cri­ti­cal vul­nerabi­li­ty which is alre­a­dy being actively exploi­ted. As can be seen from the over­view below (down­load PDF here), some super­vi­so­ry aut­ho­ri­ties, inclu­ding the Bava­ri­an Data Pro­tec­tion Aut­ho­ri­ty and the Data Pro­tec­tion Com­mis­sio­ner of Lower Sax­o­ny (only in Ger­man), take the view that noti­fi­ca­ti­on is requi­red even if the sys­tem was not actual­ly com­pro­mi­sed, if updates were not instal­led on time.

Assess­ment in Data Pro­tec­tion Law

The idea that cyber­at­tacks and IT secu­ri­ty inci­dents and mea­su­res to hand­le such inci­dents could have legal con­se­quen­ces requi­ring a legal inci­dent respon­se is not­hing new. Howe­ver, the mere need to install a secu­ri­ty update does not trig­ger a duty of noti­fi­ca­ti­on or com­mu­ni­ca­ti­on in accordance with Artic­le 33 or 34 of the GDPR (only in Ger­man); at most, the con­trol­ler would be requi­red to docu­ment the inci­dent in accordance with Artic­le 33(5) of the GDPR (only in Ger­man). This docu­men­ta­ti­on should be detail­ed enough to demons­tra­te that no data breach occur­red or, in any case, that the inci­dent did not crea­te a risk to the rights and free­doms of natu­ral per­sons. Along with docu­men­ting the inci­dent, con­trol­lers should also secu­re all rele­vant evi­dence which may be useful to sup­port the docu­men­ta­ti­on or for other aspects of the legal hand­ling of the inci­dent (e.g. to enforce or defend against regres­si­on claims). If a risk can­not be ruled out, the com­pe­tent data pro­tec­tion aut­ho­ri­ty must be noti­fied in accordance with Artic­le 33(1) of the GDPR (only in Ger­man). In urgent cases, this noti­fi­ca­ti­on must be made wit­hout undue delay, if pos­si­ble within 72 hours of when the con­trol­ler beco­mes awa­re of the data breach. If the noti­fi­ca­ti­on is late, the con­trol­ler is requi­red to cite reasons for the delay. If the­re is a high risk as a result of the data breach, the data sub­jects must also be noti­fied in accordance with Artic­le 34(1) of the GDPR (only in Ger­man).

Based on the­se prin­ci­ples, the super­vi­so­ry aut­ho­ri­ties are cor­rect in sta­ting that con­trol­lers are gene­ral­ly requi­red to noti­fy them if they find that the Exch­an­ge ser­ver has been com­pro­mi­sed. Howe­ver, it is not the case that mere­ly being late to install updates would estab­lish a duty of noti­fi­ca­ti­on, as it is not evi­dent in this case why this would crea­te a legal­ly rele­vant risk. In cases whe­re a sys­tem is demons­tra­b­ly com­pro­mi­sed but no data leak has been dis­co­ver­ed, a detail­ed indi­vi­du­al check should be per­for­med in order to cla­ri­fy the ext­ent to which the sys­tem was affec­ted by the attack. Depen­ding on the results of this check, a decis­i­on can then be made as to whe­ther noti­fi­ca­ti­on is requi­red based on the abo­ve prin­ci­ples. In case of doubt, or in situa­tions which do not allow for com­ple­te inves­ti­ga­ti­on or docu­men­ta­ti­on, we would tend to recom­mend noti­fy­ing the aut­ho­ri­ty. On the other hand, noti­fi­ca­ti­on of data sub­jects would only come into con­side­ra­ti­on in cases of high risk. This may be the case, for exam­p­le, if the­re is a leak invol­ving sen­si­ti­ve per­so­nal data, but an assess­ment is requi­red in each indi­vi­du­al case.


First, and most important­ly: accor­ding to BSI (only in Ger­man), about 25,000 sys­tems in Ger­ma­ny were still vul­nerable as of 11 March The Bava­ri­an Data Pro­tec­tion Aut­ho­ri­ty has also repor­ted that it has alre­a­dy iden­ti­fied vul­nerable sys­tems (PDF only in Ger­man) and cont­ac­ted their ope­ra­tors. Accor­din­gly, com­pa­nies should take urgent action to ensu­re that secu­ri­ty updates are pro­per­ly instal­led, as well as che­cking the sys­tems they use to deter­mi­ne if they are com­pro­mi­sed, if they have not done so alre­a­dy. Com­pa­nies should also check in each case whe­ther they are requi­red to noti­fy an aut­ho­ri­ty or com­mu­ni­ca­te a data breach in accordance with the GDPR or ano­ther sta­tu­te, such as the Tele­com­mu­ni­ca­ti­ons Act or the BSI Act. Regard­less of the fact that the legal views expres­sed by the aut­ho­ri­ties in Bava­ria and Lower Sax­o­ny are uncon­vin­cing, con­trol­lers who are sub­ject to regu­la­ti­on by tho­se aut­ho­ri­ties should nevert­hel­ess take into account the risk of fail­ure to com­ply and con­sider a pre­ven­ti­ve noti­fi­ca­ti­on.

The Cyber­se­cu­ri­ty & Data Pro­tec­tion team at reusch­law Legal Con­sul­tants pro­vi­des com­pre­hen­si­ve advice in all legal ques­ti­ons rela­ting to IT secu­ri­ty. Should you requi­re legal assis­tance in hand­ling the “Haf­ni­um” vul­nerabi­li­ties, we would be glad to assist you.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.