18.07.2023 | KPMG Law Insights

Data loss with MOVEit Transfer: This is how companies should act now

Hackers have apparently exploited a security hole in the MOVEit Transfer” software used to access data and demand payments. Numerous companies could be affected. The manufacturer of the software has provided updates in the meantime. But updating the software is not enough. Data protection law requires companies to take further measures, in particular to provide complete information.

MOVEit Transfer is a program that lets you exchange large files, for example, if they are too large to put in an email. Thousands of companies used this software to exchange corporate data with it.

The vendor had announced that a critical vulnerability (CVE-2023-36934) was found in its software product. According to media reports, the vulnerability was exploited by a group of hackers. They may have obtained enormous amounts of sensitive company data. The group is now said to be threatening to release the data unless a ransom is paid.

In recent days and weeks, the number of companies publicly stating that they were affected has increased. These include companies from all sectors and of all sizes – from start-ups to DAX companies. However, not only companies that have detected a data leak should take action, but all users of the MOVEit Transfer software.

Here’s what to do in the event of data loss from a legal and technological perspective

From a legal point of view

In the event of a data loss, it is not enough to close the security gap. Instead, it should be immediately investigated which data are affected and what consequences are threatened. If, for example, confidential customer data has fallen into the wrong hands, this regularly means a breach of contractual obligations and confidentiality agreements. In addition to informing the affected customers immediately, it is necessary to check whether the data leak could also trigger claims for damages from customers or suppliers. This is the only way to prevent the damage from intensifying or going undetected.

Insofar as personal data is affected, the reporting and notification obligations of the General Data Protection Regulation (GDPR) apply: The responsible data protection supervisory authority and possibly also the affected customers or employees must be extensively informed no later than 72 hours after the company becomes aware of the data breach. Again, it is critical to determine the cause and extent of the data breach. This is the only way to assess which risks exist for the persons concerned and which reporting and notification obligations exist in concrete terms. For KRITIS companies, a notification to the Federal Office for Information Security (BSI) may also be required. Failure to comply with these obligations may result in significant fines and further regulatory action.

Even though it may be tempting to give in to the ransomware demand in view of a quick solution, this decision should not be made hastily under any circumstances. Since payment in response to such ransom demands may be punishable as terrorist financing or support for a criminal organization, legal advice should be sought in any case.

From a technological point of view

Even if organizations have since closed the security hole through the manufacturer’s updates, the need for a complete, forensic investigation of the incident remains.

According to Expert:innen, criminals have been able to exploit the vulnerability for a long time. It is therefore possible that the hacker group has been working in the IT systems of the affected companies for some time and has had access to their data. The BSI has therefore been recommending for weeks to actively look for signs of a compromise.

eDiscovery creates transparency

In addition, it is important to understand exactly what data has been leaked in order to be able to take the right measures (see above). An eDiscovery and thus a review of the outflowed data creates transparency. For example, it can be used to categorize the data that has been leaked (for example, “personal data,” “third-party data,” or “trade secrets”) and to initiate the necessary measures.

This is how MOVEit Transfer users should act now

All organizations that have used MOVEit Transfer should promptly conduct a forensic investigation to determine whether data may have been tapped, and if so, use eDiscovery to verify which data was affected. Data protection experts should work closely with forensic experts and cyber security experts. As a preventive measure, companies should conduct a security audit to uncover security gaps and derive suitable countermeasures to help prevent such cases in the future.

If a data leak is detected (for example, through internal investigations or tips from third parties), it should be investigated whether the affected data is personal or even particularly sensitive personal data. In this case, the company concerned must immediately contact the supervisory authority and the data owners concerned. On the one hand, this fulfills legal obligations and, on the other, professional handling may also prevent mass lawsuits due to data protection violations.

The good news is that companies can take measures to avoid such cases in the future. Good data protection management and information security management make it much more difficult for hackers to obtain data.

Together with experts for Cyber Incident Response & Investigation from KPMG AG Wirtschaftsprüfungsgesellschaft, we at KPMG Law Rechtsanwaltsgesellschaft mbH can take the necessary measures for you as data protection experts. Contact us.


This article was written in cooperation with Michael Sauermann and Jan Stoelting, both partners at KPMG AG Wirtschaftsprüfungsgesellschaft.







Explore #more

01.12.2023 | PR publications

WiWo: Best of Legal Awards – Philipp Glock Leader of the Year

On Thursday evening, WirtschaftsWoche honored outstanding projects and minds from consulting firms and law firms in Düsseldorf and celebrated the second Best of Professional Night…

29.11.2023 | KPMG Law Insights

Energy transition also opens up business opportunities

The energy industry’s complex, capital-intensive transformation process offers investors and banks a great deal of potential By Lars Christian Mahler and Marc Goldberg for Börsen-Zeitung,…

29.11.2023 | KPMG Law Insights

Guest article in ZURe – AI and the legal department of tomorrow

The current issue of ZURe (p. 48 ff.) contains a guest article by KPMG Partner Sina Steidel-Küster (Regional Director Southwest, Head of Stuttgart office) and…

29.11.2023 | KPMG Law Insights, KPMG Law Insights

Key Facts about the new draft of the “Data Act

On February 23, 2022, the EU Commission presented the new draft of the so-called Data Act, the “Regulation on harmonized rules for fair access to…

21.11.2023 |

Guest article in ZURe on the implementation of CSRD reporting in SMEs

The current issue of ZURe (p. 34 ff.) contains a guest article by Lena Plato (Director Legal & Compliance, FLABEG Automotive Group GmbH), KPMG Law…

20.11.2023 | Press releases

Statement by KPMG Law experts in Handelsblatt on the topic of sustainability cooperation in antitrust law

In the Handelsblatt, KPMG Law expert Jonas Brueckner is quoted in detail on the subject of cooperation in terms of sustainability. Until this summer, there…

15.11.2023 |

Legal 500 – Country Comparative Guide Germany

Gerrit Rixen and Jonas Brueckner provide an overview of the relevant legal regulations in the area of Competition & Litigation in a practical guide on…

14.11.2023 | Press releases

Tax and Law at a glance – New issue of the digital magazine “Talk

“Talk” stands for Tax and Law Compass, because that’s what the digital magazine wants to be: a navigation aid to the legal and tax aspects…

13.11.2023 |

Statement from KPMG Law experts in Brand eins magazine on the use of AI

The business magazine brand eins asked eight experts about the use of AI in the legal sector. “Many business people cannot even begin to estimate…

10.11.2023 | Deal Notifications

KPMG Law and KPMG AG Wirtschaftsprüfungsgesellschaft advise Ziemann Holvrieka on the acquisition of Künzel Maschinenbau

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised Ziemann Holvrieka GmbH from Ludwigsburg on the acquisition of the majority of shares…


Francois Heynike, LL.M. (Stellenbosch)

Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

tel: +49-69-951195770

Dr. Jyn Schultze-Melling, LL.M.


Klingelhöferstraße 18
10785 Berlin

tel: +49 30 530199 410

© 2023 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.