Search
Contact
18.07.2023 | KPMG Law Insights

Data loss with MOVEit Transfer: This is how companies should act now

Hackers have apparently exploited a security hole in the MOVEit Transfer” software used to access data and demand payments. Numerous companies could be affected. The manufacturer of the software has provided updates in the meantime. But updating the software is not enough. Data protection law requires companies to take further measures, in particular to provide complete information.

MOVEit Transfer is a program that lets you exchange large files, for example, if they are too large to put in an email. Thousands of companies used this software to exchange corporate data with it.

The vendor had announced that a critical vulnerability (CVE-2023-36934) was found in its software product. According to media reports, the vulnerability was exploited by a group of hackers. They may have obtained enormous amounts of sensitive company data. The group is now said to be threatening to release the data unless a ransom is paid.

In recent days and weeks, the number of companies publicly stating that they were affected has increased. These include companies from all sectors and of all sizes – from start-ups to DAX companies. However, not only companies that have detected a data leak should take action, but all users of the MOVEit Transfer software.

Here’s what to do in the event of data loss from a legal and technological perspective

From a legal point of view

In the event of a data loss, it is not enough to close the security gap. Instead, it should be immediately investigated which data are affected and what consequences are threatened. If, for example, confidential customer data has fallen into the wrong hands, this regularly means a breach of contractual obligations and confidentiality agreements. In addition to informing the affected customers immediately, it is necessary to check whether the data leak could also trigger claims for damages from customers or suppliers. This is the only way to prevent the damage from intensifying or going undetected.

Insofar as personal data is affected, the reporting and notification obligations of the General Data Protection Regulation (GDPR) apply: The responsible data protection supervisory authority and possibly also the affected customers or employees must be extensively informed no later than 72 hours after the company becomes aware of the data breach. Again, it is critical to determine the cause and extent of the data breach. This is the only way to assess which risks exist for the persons concerned and which reporting and notification obligations exist in concrete terms. For KRITIS companies, a notification to the Federal Office for Information Security (BSI) may also be required. Failure to comply with these obligations may result in significant fines and further regulatory action.

Even though it may be tempting to give in to the ransomware demand in view of a quick solution, this decision should not be made hastily under any circumstances. Since payment in response to such ransom demands may be punishable as terrorist financing or support for a criminal organization, legal advice should be sought in any case.

From a technological point of view

Even if organizations have since closed the security hole through the manufacturer’s updates, the need for a complete, forensic investigation of the incident remains.

According to Expert:innen, criminals have been able to exploit the vulnerability for a long time. It is therefore possible that the hacker group has been working in the IT systems of the affected companies for some time and has had access to their data. The BSI has therefore been recommending for weeks to actively look for signs of a compromise.

eDiscovery creates transparency

In addition, it is important to understand exactly what data has been leaked in order to be able to take the right measures (see above). An eDiscovery and thus a review of the outflowed data creates transparency. For example, it can be used to categorize the data that has been leaked (for example, “personal data,” “third-party data,” or “trade secrets”) and to initiate the necessary measures.

This is how MOVEit Transfer users should act now

All organizations that have used MOVEit Transfer should promptly conduct a forensic investigation to determine whether data may have been tapped, and if so, use eDiscovery to verify which data was affected. Data protection experts should work closely with forensic experts and cyber security experts. As a preventive measure, companies should conduct a security audit to uncover security gaps and derive suitable countermeasures to help prevent such cases in the future.

If a data leak is detected (for example, through internal investigations or tips from third parties), it should be investigated whether the affected data is personal or even particularly sensitive personal data. In this case, the company concerned must immediately contact the supervisory authority and the data owners concerned. On the one hand, this fulfills legal obligations and, on the other, professional handling may also prevent mass lawsuits due to data protection violations.

The good news is that companies can take measures to avoid such cases in the future. Good data protection management and information security management make it much more difficult for hackers to obtain data.

Together with experts for Cyber Incident Response & Investigation from KPMG AG Wirtschaftsprüfungsgesellschaft, we at KPMG Law Rechtsanwaltsgesellschaft mbH can take the necessary measures for you as data protection experts. Contact us.

 

This article was written in cooperation with Michael Sauermann and Jan Stoelting, both partners at KPMG AG Wirtschaftsprüfungsgesellschaft.

 

 

 

 

 

 

Explore #more

04.10.2024 | In the media

Guest article in Bauunternehmer on the topic: “Competition is better for climate protection than rigid requirements”

Regulation is one of the main cost drivers in construction.
However, instead of rigid specifications, sustainability targets and climate protection can be better achieved through…

04.10.2024 | Deal Notifications

KPMG Law advises the HWP Handwerkspartner Group on the acquisition of Manfred Teckenburg Elektroanlagen

KPMG Law carried out a comprehensive legal due diligence for the HWP Handwerkspartner Group on the acquisition of Teckenburg Elektroanlagen and supported the purchase agreement…

04.10.2024 | Deal Notifications

KPMG Law and KPMG advise the Forterro Group on the acquisition of alltrotec

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised the Forterro Group on the due diligence, structuring and implementation of the acquisition…

04.10.2024 | Deal Notifications

KPMG Law and KPMG advise HWP Handwerkspartner Group on the acquisition of Elektro Fastabend Group

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) have jointly advised the HWP Handwerkspartner Group (HWP) on the acquisition of Fastabend Elektro-Gebäudetechnik…

02.10.2024 | Deal Notifications

KPMG Law advises the GOLDBECK Group on the acquisition of a majority stake in the Schalm Group

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) advised the HWP Handwerkspartner Group on the acquisition of the Schalm Group.
KPMG Law conducted a comprehensive legal due…

27.09.2024 | Deal Notifications

KPMG Law advises Munich Airport on the sale of a majority stake in Cargogate Munich Airport GmbH and the creation of a new cargo joint venture.

KPMG Law advised Flughafen München GmbH (FMG) on the sale of 74.9 percent of the shares in its subsidiary Cargogate Munich Airport GmbH (Cargogate) to…

27.09.2024 | Deal Notifications

KPMG Law and KPMG advise the GOLDBECK Group on the acquisition of Weiser GmbH Brandschutz & Technik

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) jointly advised the GOLDBECK Group on the acquisition of Weiser GmbH Brandschutz & Technik.…

25.09.2024 | In the media

Guest article in Wirtschafts Woche on the topic of data protection: Employers are liable for their works councils

Companies collect and store personal and sometimes sensitive employee data: age, length of service, salary, sick days and much more.
According to European and German…

22.09.2024 | In the media

PMN Awards 2024 – Konstantin von Busekist honored as Managing Partner of the Year

For the 16th time, the PMN Awards shine a spotlight on outstanding law firm innovations and management achievements.
On September 18, the Professional Management Network,…

21.09.2024 | In the media

Guest article in ZURe on the topic of reporting channels under the Whistleblower Protection Act and the Supply Chain Due Diligence Act

The dual obligation to implement reporting channels in accordance with the HinSchG and LkSG poses major personnel and administrative challenges for practitioners, especially in times…

Contact

Francois Heynike, LL.M. (Stellenbosch)

Partner
Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

tel: +49-69-951195770
fheynike@kpmg-law.com

Dr. Jyn Schultze-Melling, LL.M.

Partner

Heidestraße 58
10557 Berlin

tel: +49 30 530199 410
jschultzemelling@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll