Search
Contact
18.07.2023 | KPMG Law Insights

Data loss with MOVEit Transfer: This is how companies should act now

Hackers have apparently exploited a security hole in the MOVEit Transfer” software used to access data and demand payments. Numerous companies could be affected. The manufacturer of the software has provided updates in the meantime. But updating the software is not enough. Data protection law requires companies to take further measures, in particular to provide complete information.

MOVEit Transfer is a program that lets you exchange large files, for example, if they are too large to put in an email. Thousands of companies used this software to exchange corporate data with it.

The vendor had announced that a critical vulnerability (CVE-2023-36934) was found in its software product. According to media reports, the vulnerability was exploited by a group of hackers. They may have obtained enormous amounts of sensitive company data. The group is now said to be threatening to release the data unless a ransom is paid.

In recent days and weeks, the number of companies publicly stating that they were affected has increased. These include companies from all sectors and of all sizes – from start-ups to DAX companies. However, not only companies that have detected a data leak should take action, but all users of the MOVEit Transfer software.

Here’s what to do in the event of data loss from a legal and technological perspective

From a legal point of view

In the event of a data loss, it is not enough to close the security gap. Instead, it should be immediately investigated which data are affected and what consequences are threatened. If, for example, confidential customer data has fallen into the wrong hands, this regularly means a breach of contractual obligations and confidentiality agreements. In addition to informing the affected customers immediately, it is necessary to check whether the data leak could also trigger claims for damages from customers or suppliers. This is the only way to prevent the damage from intensifying or going undetected.

Insofar as personal data is affected, the reporting and notification obligations of the General Data Protection Regulation (GDPR) apply: The responsible data protection supervisory authority and possibly also the affected customers or employees must be extensively informed no later than 72 hours after the company becomes aware of the data breach. Again, it is critical to determine the cause and extent of the data breach. This is the only way to assess which risks exist for the persons concerned and which reporting and notification obligations exist in concrete terms. For KRITIS companies, a notification to the Federal Office for Information Security (BSI) may also be required. Failure to comply with these obligations may result in significant fines and further regulatory action.

Even though it may be tempting to give in to the ransomware demand in view of a quick solution, this decision should not be made hastily under any circumstances. Since payment in response to such ransom demands may be punishable as terrorist financing or support for a criminal organization, legal advice should be sought in any case.

From a technological point of view

Even if organizations have since closed the security hole through the manufacturer’s updates, the need for a complete, forensic investigation of the incident remains.

According to Expert:innen, criminals have been able to exploit the vulnerability for a long time. It is therefore possible that the hacker group has been working in the IT systems of the affected companies for some time and has had access to their data. The BSI has therefore been recommending for weeks to actively look for signs of a compromise.

eDiscovery creates transparency

In addition, it is important to understand exactly what data has been leaked in order to be able to take the right measures (see above). An eDiscovery and thus a review of the outflowed data creates transparency. For example, it can be used to categorize the data that has been leaked (for example, “personal data,” “third-party data,” or “trade secrets”) and to initiate the necessary measures.

This is how MOVEit Transfer users should act now

All organizations that have used MOVEit Transfer should promptly conduct a forensic investigation to determine whether data may have been tapped, and if so, use eDiscovery to verify which data was affected. Data protection experts should work closely with forensic experts and cyber security experts. As a preventive measure, companies should conduct a security audit to uncover security gaps and derive suitable countermeasures to help prevent such cases in the future.

If a data leak is detected (for example, through internal investigations or tips from third parties), it should be investigated whether the affected data is personal or even particularly sensitive personal data. In this case, the company concerned must immediately contact the supervisory authority and the data owners concerned. On the one hand, this fulfills legal obligations and, on the other, professional handling may also prevent mass lawsuits due to data protection violations.

The good news is that companies can take measures to avoid such cases in the future. Good data protection management and information security management make it much more difficult for hackers to obtain data.

Together with experts for Cyber Incident Response & Investigation from KPMG AG Wirtschaftsprüfungsgesellschaft, we at KPMG Law Rechtsanwaltsgesellschaft mbH can take the necessary measures for you as data protection experts. Contact us.

 

This article was written in cooperation with Michael Sauermann and Jan Stoelting, both partners at KPMG AG Wirtschaftsprüfungsgesellschaft.

 

 

 

 

 

 

Explore #more

22.01.2025 | KPMG Law Insights

The EU packaging regulation sets strict requirements for packaging

The EU has adopted the Packaging Regulation. After the European Parliament adopted the Commission’s draft on April 24, 2024, the EU member states also approved…

09.01.2025 | In the media

KPMG Law strengthens Legal Transformation Managed Services and Legal Corporate Services with two new senior managers

On January 1, KPMG Law strengthened its Transformation Managed Services practice with Jana Sichelschmidt and its Corporate Services practice with Dr. Michaela Lenk. Both are…

06.01.2025 | Deal Notifications

KPMG Law advises on the sale of Käppler & Pausch GmbH

Gabriel Pausch, the co-founder and main shareholder of Käppler & Pausch GmbH, a system supplier for metal assemblies as well as metal and sheet metal…

03.01.2025 | In the media

Interview in Betrieb on the EU money laundering package and its impact

The EU anti-money laundering package harmonizes anti-money laundering and counter-terrorism rules in Europe and introduces new measures such as cash limits of €10,000, identification requirements…

02.01.2025 | In the media

KPMG Law Statement in eMagazin Immobilienanwälte: Creativity meets law in trademark protection

Four Frankfurt, Elbtower, Vonovia: real estate projects and companies are backed by constructs worth millions or even billions. In order to stand out from the…

20.12.2024 | Deal Notifications

KPMG and KPMG Law supported the sale of circular Informationssysteme to the teccle group

Together with the corporate finance/M&A advisors of KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG), KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) advised the shareholders of circular Informationssysteme GmbH (circular)…

19.12.2024 | Press releases

KPMG Law defends Federal Motor Transport Authority against claim for damages in connection with the emissions scandal

The state is not liable to vehicle purchasers for damages. KPMG Law has defended the Federal Motor Transport Authority (KBA) against a civil plaintiff’s state…

18.12.2024 | KPMG Law Insights, KPMG Law Insights

MiCAR – What the new EU regulation means for crypto service providers and issuers

An EU regulation will soon come into force that will regulate crypto assets uniformly throughout Europe. It contains significant new obligations for issuers and crypto…

16.12.2024 | Deal Notifications

KPMG Law advises CERTANIA Holding GmbH on the acquisition of RASG Holdco Ltd.

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) has provided legal advice to CERTANIA Holding GmbH, a platform of the Munich-based PE firm Greenpeak Partners, on the…

04.12.2024 | Deal Notifications

KPMG Law and KPMG advises Brain Biotech AG on license agreements and monetization of license rights

KPMG Law Rechtsanwaltsgesellschaft mbH and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised Brain Biotech AG on the monetization of licensing rights with Royalty Pharma and the conclusion…

Contact

Francois Heynike, LL.M. (Stellenbosch)

Partner
Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

Tel.: +49-69-951195770
fheynike@kpmg-law.com

Dr. Jyn Schultze-Melling, LL.M.

Partner

Heidestraße 58
10557 Berlin

Tel.: +49 30 530199 410
jschultzemelling@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll