18.07.2023 | KPMG Law Insights

Data loss with MOVEit Transfer: This is how companies should act now

Hackers have apparently exploited a security hole in the MOVEit Transfer” software used to access data and demand payments. Numerous companies could be affected. The manufacturer of the software has provided updates in the meantime. But updating the software is not enough. Data protection law requires companies to take further measures, in particular to provide complete information.

MOVEit Transfer is a program that lets you exchange large files, for example, if they are too large to put in an email. Thousands of companies used this software to exchange corporate data with it.

The vendor had announced that a critical vulnerability (CVE-2023-36934) was found in its software product. According to media reports, the vulnerability was exploited by a group of hackers. They may have obtained enormous amounts of sensitive company data. The group is now said to be threatening to release the data unless a ransom is paid.

In recent days and weeks, the number of companies publicly stating that they were affected has increased. These include companies from all sectors and of all sizes – from start-ups to DAX companies. However, not only companies that have detected a data leak should take action, but all users of the MOVEit Transfer software.

Here’s what to do in the event of data loss from a legal and technological perspective

From a legal point of view

In the event of a data loss, it is not enough to close the security gap. Instead, it should be immediately investigated which data are affected and what consequences are threatened. If, for example, confidential customer data has fallen into the wrong hands, this regularly means a breach of contractual obligations and confidentiality agreements. In addition to informing the affected customers immediately, it is necessary to check whether the data leak could also trigger claims for damages from customers or suppliers. This is the only way to prevent the damage from intensifying or going undetected.

Insofar as personal data is affected, the reporting and notification obligations of the General Data Protection Regulation (GDPR) apply: The responsible data protection supervisory authority and possibly also the affected customers or employees must be extensively informed no later than 72 hours after the company becomes aware of the data breach. Again, it is critical to determine the cause and extent of the data breach. This is the only way to assess which risks exist for the persons concerned and which reporting and notification obligations exist in concrete terms. For KRITIS companies, a notification to the Federal Office for Information Security (BSI) may also be required. Failure to comply with these obligations may result in significant fines and further regulatory action.

Even though it may be tempting to give in to the ransomware demand in view of a quick solution, this decision should not be made hastily under any circumstances. Since payment in response to such ransom demands may be punishable as terrorist financing or support for a criminal organization, legal advice should be sought in any case.

From a technological point of view

Even if organizations have since closed the security hole through the manufacturer’s updates, the need for a complete, forensic investigation of the incident remains.

According to Expert:innen, criminals have been able to exploit the vulnerability for a long time. It is therefore possible that the hacker group has been working in the IT systems of the affected companies for some time and has had access to their data. The BSI has therefore been recommending for weeks to actively look for signs of a compromise.

eDiscovery creates transparency

In addition, it is important to understand exactly what data has been leaked in order to be able to take the right measures (see above). An eDiscovery and thus a review of the outflowed data creates transparency. For example, it can be used to categorize the data that has been leaked (for example, “personal data,” “third-party data,” or “trade secrets”) and to initiate the necessary measures.

This is how MOVEit Transfer users should act now

All organizations that have used MOVEit Transfer should promptly conduct a forensic investigation to determine whether data may have been tapped, and if so, use eDiscovery to verify which data was affected. Data protection experts should work closely with forensic experts and cyber security experts. As a preventive measure, companies should conduct a security audit to uncover security gaps and derive suitable countermeasures to help prevent such cases in the future.

If a data leak is detected (for example, through internal investigations or tips from third parties), it should be investigated whether the affected data is personal or even particularly sensitive personal data. In this case, the company concerned must immediately contact the supervisory authority and the data owners concerned. On the one hand, this fulfills legal obligations and, on the other, professional handling may also prevent mass lawsuits due to data protection violations.

The good news is that companies can take measures to avoid such cases in the future. Good data protection management and information security management make it much more difficult for hackers to obtain data.

Together with experts for Cyber Incident Response & Investigation from KPMG AG Wirtschaftsprüfungsgesellschaft, we at KPMG Law Rechtsanwaltsgesellschaft mbH can take the necessary measures for you as data protection experts. Contact us.


This article was written in cooperation with Michael Sauermann and Jan Stoelting, both partners at KPMG AG Wirtschaftsprüfungsgesellschaft.







Explore #more

13.06.2024 | Press releases

Handelsblatt and Best Lawyers honor KPMG Law Experts

Best Lawyers has once again identified the best commercial lawyers in Germany for 2024 exclusively for Handelsblatt. A total of 28 lawyers were honored by…

27.05.2024 | KPMG Law Insights

Agreement on ecodesign regulation: products to become more sustainable

After lengthy negotiations, the Council and Parliament of the European Union reached a provisional agreement on the Ecodesign Regulation on the night of December 5,…

22.05.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

17.05.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: When the family business is to be sold

Around 38,000 family businesses are currently handed over each year. In most cases, the change of ownership takes place within the family. But more and…

03.05.2024 | KPMG Law Insights

Doubts about inability to work? What employers can do

The certificate of incapacity for work (AU certificate) serves as proof of incapacity for work due to illness. However, only if the certificate meets certain…

27.03.2024 | KPMG Law Insights

EU Buildings Directive: life cycle greenhouse potential becomes relevant

On March 12, 2024, the EU Parliament approved the amendment to the EU Buildings Directive. The directive obliges member states and, indirectly, building owners and…

19.03.2024 | Business Performance & Resilience, KPMG Law Insights

CSDDD: Provisional agreement on the EU Supply Chain Directive

The EU member states agreed on the CSDDD, the EU Supply Chain Directive, on March 15, 2024. Germany abstained from the vote. Negotiators from the…

21.02.2024 | KPMG Law Insights, KPMG Law Insights

The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation,…

15.02.2024 | KPMG Law Insights

Data compliance management: How to implement it in practice

Part 3 of the article series “Professional tips for data compliance management”   The third part of this series of articles deals with data compliance

14.02.2024 | Business Performance & Resilience, PR Publications

Guest article in ZURe: Monitoring the implementation of the LkSG

The current issue of ZURe (p. 20 ff.) contains a guest article by KPMG Law Partner Thomas Uhlig (Head of General Business and Commercial Law),…


Francois Heynike, LL.M. (Stellenbosch)

Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

tel: +49-69-951195770

Dr. Jyn Schultze-Melling, LL.M.


Heidestraße 58
10557 Berlin

tel: +49 30 530199 410

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.