Microsoft Exchange Server data breach

On 2 March 2020, Microsoft announced the Microsoft Exchange Server had been subject to multiple ‘0-day’ exploits which it attributed to a group known as Hafnium. Hafnium is understood by Microsoft to be a Chinese state-backed hacking group, and known to publish stolen personal data to file-sharing sites. The campaign is thought to have begun as a targeted effort towards specific individuals but quickly escalated into a global hack exploiting unpatched systems, including the email server of the European Banking Authority but likely many others as well. Once Microsoft made the breach known, a number of other malicious groups rushed to exploit the same vulnerabilities.

At the time of the announcement, Microsoft released patches to combat the attacks. Patches are system updates that address vulnerabilities or bugs within a programme. When patches are circulated, hackers often attempt to reverse engineer the solution. Patches also do little to address hackers who are already within a system and have installed web shells (code that acts like a backdoor into the network). Large-scale hacks such as this also allow for escalating attacks. On 12 March, Microsoft warned users that a family of ransomware (known as DearCry) was being used to block users’ access to their system (see Microsoft’s tweet here), allegedly offering to release the systems in exchange for payment. Please see our previous article on the legal risks associated with paying ransomware threats.

The attack is being referred to as ‘ongoing’ as Microsoft continue to prompt users to check and update their systems. This was echoed by the UK National Cyber Security Centre, which published an urgent alert on 3 March 2021 explaining the impact of the attack and recommending mitigating steps. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has also prompted US companies to act, including in a tweet on 3 March 2021: “Federal civilian agencies are required to take emergency action to update or disconnect these products” (see full tweet here). The full extent of the hack is, as yet, unknown, but could potentially involve thousands of victims with Jen Psaki, White House press secretary, saying that there was a “large number of victims” in this “active hack”.

Companies that hold a large amount of personal data must remain vigilant to any cyber vulnerabilities, including through third-party providers. Ensuring your IT systems are regularly updated is just one part of the armoury available as data breaches are hugely varied in origin, context and consequence. We can help you take proactive measures to prevent a breach, and also advise you on the steps you should take in order to quickly and effectively respond to a data security breach, including: detection, analysis, recovery and response.

Given the uptick in enforcement activity by data privacy regulators in recent months, including the UK's Information Commissioners Office, and the accompanying increase in parallel civil litigation in the form of high profile, and widely advertised, group actions, we wait to see what the likely outcome of this hack will be for compromised entities.