Search
Contact
18.07.2023 | KPMG Law Insights

Data loss with MOVEit Transfer: This is how companies should act now

Hackers have apparently exploited a security hole in the MOVEit Transfer” software used to access data and demand payments. Numerous companies could be affected. The manufacturer of the software has provided updates in the meantime. But updating the software is not enough. Data protection law requires companies to take further measures, in particular to provide complete information.

MOVEit Transfer is a program that lets you exchange large files, for example, if they are too large to put in an email. Thousands of companies used this software to exchange corporate data with it.

The vendor had announced that a critical vulnerability (CVE-2023-36934) was found in its software product. According to media reports, the vulnerability was exploited by a group of hackers. They may have obtained enormous amounts of sensitive company data. The group is now said to be threatening to release the data unless a ransom is paid.

In recent days and weeks, the number of companies publicly stating that they were affected has increased. These include companies from all sectors and of all sizes – from start-ups to DAX companies. However, not only companies that have detected a data leak should take action, but all users of the MOVEit Transfer software.

Here’s what to do in the event of data loss from a legal and technological perspective

From a legal point of view

In the event of a data loss, it is not enough to close the security gap. Instead, it should be immediately investigated which data are affected and what consequences are threatened. If, for example, confidential customer data has fallen into the wrong hands, this regularly means a breach of contractual obligations and confidentiality agreements. In addition to informing the affected customers immediately, it is necessary to check whether the data leak could also trigger claims for damages from customers or suppliers. This is the only way to prevent the damage from intensifying or going undetected.

Insofar as personal data is affected, the reporting and notification obligations of the General Data Protection Regulation (GDPR) apply: The responsible data protection supervisory authority and possibly also the affected customers or employees must be extensively informed no later than 72 hours after the company becomes aware of the data breach. Again, it is critical to determine the cause and extent of the data breach. This is the only way to assess which risks exist for the persons concerned and which reporting and notification obligations exist in concrete terms. For KRITIS companies, a notification to the Federal Office for Information Security (BSI) may also be required. Failure to comply with these obligations may result in significant fines and further regulatory action.

Even though it may be tempting to give in to the ransomware demand in view of a quick solution, this decision should not be made hastily under any circumstances. Since payment in response to such ransom demands may be punishable as terrorist financing or support for a criminal organization, legal advice should be sought in any case.

From a technological point of view

Even if organizations have since closed the security hole through the manufacturer’s updates, the need for a complete, forensic investigation of the incident remains.

According to Expert:innen, criminals have been able to exploit the vulnerability for a long time. It is therefore possible that the hacker group has been working in the IT systems of the affected companies for some time and has had access to their data. The BSI has therefore been recommending for weeks to actively look for signs of a compromise.

eDiscovery creates transparency

In addition, it is important to understand exactly what data has been leaked in order to be able to take the right measures (see above). An eDiscovery and thus a review of the outflowed data creates transparency. For example, it can be used to categorize the data that has been leaked (for example, “personal data,” “third-party data,” or “trade secrets”) and to initiate the necessary measures.

This is how MOVEit Transfer users should act now

All organizations that have used MOVEit Transfer should promptly conduct a forensic investigation to determine whether data may have been tapped, and if so, use eDiscovery to verify which data was affected. Data protection experts should work closely with forensic experts and cyber security experts. As a preventive measure, companies should conduct a security audit to uncover security gaps and derive suitable countermeasures to help prevent such cases in the future.

If a data leak is detected (for example, through internal investigations or tips from third parties), it should be investigated whether the affected data is personal or even particularly sensitive personal data. In this case, the company concerned must immediately contact the supervisory authority and the data owners concerned. On the one hand, this fulfills legal obligations and, on the other, professional handling may also prevent mass lawsuits due to data protection violations.

The good news is that companies can take measures to avoid such cases in the future. Good data protection management and information security management make it much more difficult for hackers to obtain data.

Together with experts for Cyber Incident Response & Investigation from KPMG AG Wirtschaftsprüfungsgesellschaft, we at KPMG Law Rechtsanwaltsgesellschaft mbH can take the necessary measures for you as data protection experts. Contact us.

 

This article was written in cooperation with Michael Sauermann and Jan Stoelting, both partners at KPMG AG Wirtschaftsprüfungsgesellschaft.

 

 

 

 

 

 

Explore #more

27.05.2025 | KPMG Law Insights

Cell Phone Inspections at US Border and Beyond: What to Expect

Key facts: U.S. immigration officials monitor public social media data and travelers should be prepared to share details about their personal social media accounts. All…

23.05.2025 | KPMG Law Insights

Business Travel and Assignment in the USA: What you need to know about US immigration

The recent changes in US immigration rules are causing uncertainty worldwide. In particular, since the new US government took office, processes regarding entry into the…

14.05.2025 | KPMG Law Insights

BGH on customer installations: Decision orders application in line with the directive

In a ruling dated May 13, 2025, the BGH classified the supply infrastructure in the specific case of a residential complex in Zwickau as a…

13.05.2025 | In the media

KPMG Law expert in Spiegel article on energy policy

Dirk-Henning Meier, Senior Manager in the energy law department at KPMG Law, is quoted in a recent article on energy policy in Der Spiegel.…

13.05.2025 | Career, In the media

azur Karriere Magazin – All AI or what?

Artificial intelligence has long since arrived in law firms and legal departments. But dealing with it is a skill that needs to be learned. Many…

13.05.2025 | KPMG Law Insights

Initial experience with the Single-Use Plastics Fund Act: what manufacturers should bear in mind

Beverage cups, foil and plastic cigarette filters litter streets, parks and sidewalks. The cleaning costs are borne by the local authorities. The Disposable Plastics Fund…

07.05.2025 | KPMG Law Insights

Termination of fixed-term rental agreements in the case of pre-leasing

In the case of a pre-leasing, the tenancy only begins at a later date, usually the handover date. In such cases, the contracting parties usually…

06.05.2025 | In the media

Wirtschaftswoche honors KPMG Law

KPMG Law was named “TOP Law Firm 2025” in the field of M&A by WirtschaftsWoche. Ian Maywald, Partner at KPMG Law in Munich, was…

06.05.2025 | KPMG Law Insights

Social insurance obligation for teachers – transitional rule creates clarity

Teachers and lecturers are often hired on a self-employed basis. This practice makes the German pension insurance fund sit up and take notice. It is…

02.05.2025 | In the media

KPMG Law Statement in FINANCE Magazine: How CFOs can save up to 80 percent in the legal department

The cost pressure in companies is increasing – also in legal departments. Two strategies have now become established to save 50 to 80 percent of…

Contact

Francois Heynike, LL.M. (Stellenbosch)

Partner
Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

Tel.: +49-69-951195770
fheynike@kpmg-law.com

Dr. Jyn Schultze-Melling, LL.M.

Partner

Heidestraße 58
10557 Berlin

Tel.: +49 30 530199 410
jschultzemelling@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll