In the context of the security vulnerabilities in on-premises operated and externally accessible Microsoft Exchange servers (not affected are the online accessible M365 Exchange servers), data protection authorities point out that there may be an obligation to notify the competent authority according to Art. 33 DSGVO.
The necessity of the notification may depend on your federal state. In NRW, the data protection authority must be notified if a data leak or manipulation of personal data has occurred or cannot be ruled out with sufficient certainty. In Bavaria and Lower Saxony, the rules are even stricter. Here, the obligation to report already exists if the security update provided by Microsoft on 5 March has not been installed by 9 March. The data protection authorities agree that notification is mandatory if there is evidence of unambiguous access.
The security update
Microsoft provides a patch that closes critical gaps in Exchange Server 2019, 2016, 2013 and 2010 and calls for externally accessible Exchange Servers to be updated immediately. Since affected computers may still be potentially infiltrated even after the patch, it is important to track and recognise the possible attack paths. You can find information from Microsoft here.
Do you have questions about the security gap and need further information or short-term support? Don't hesitate, contact our experts directly now.