Is the Microsoft Exchange hack about to be dubbed “The Greatest Email Heist”? What does the DPC have to say about EU data protection and e-privacy laws?
“If you spend more on your coffee than on securing your email communications, you’ll be hacked.” – EmailOut
In this article, we’ll cover the following email industry news:
- Microsoft Exchange server hacked
- Irish Data Protection Commission (DPC) 2020 Annual Report
Let’s dive in.
Microsoft Hacked: The Great Email Robbery
A Microsoft Exchange Server hack is not just another data breach.
The email servers of tens of thousands of businesses and local governments are being pillaged due to four zero-day vulnerabilities in Microsoft Exchange Server putting us days away from potentially the “greatest email heist”. The impact of the Microsoft Exchange hack is expected to be even bigger than SolarWinds.
At the beginning of March, investigative reporter Brian Krebs reported that –
“At least 30,000 organisations across the United States – including a significant number of small businesses, towns, cities and local governments – have, over the past few days, been hacked by an unusually aggressive Chinese cyber-espionage unit (Hafnium) that’s focused on stealing email from victim organisations.”
Microsoft Exchange Vulnerabilities
The four zero-day critical vulnerabilities impacting Exchange 2013, 2016 and 2019 acknowledged by Microsoft are –
1) a Server Side Request Forgery (SSRF) leading to crafted HTTP requests being sent by an unauthorised attacker (CVE-2021-26855)
2) insecure deserialisation in the Exchange Unified Messaging Service allowing attackers to deploy arbitrary commands (CVE-2021-26857)
3) a post-authentication arbitrary file write (CVE-2021-26858)
4) a post-authentication arbitrary file write (CVE-2021-27065)
According to Microsoft, cybercriminals have secured access to an Exchange Server either via the four 0-day vulnerabilities or through stolen credentials.
Microsoft further comment on the Microsoft Exchange hack –
“The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.”
Microsoft has released patches to tackle the severe vulnerabilities. Yet, at the time of the release, the company stated the bugs are being actively exploited in “limited, targeted attacks” all over the globe.
Unfortunately, the patches aimed to fix the problem are not “the remedy” as they provide a guide to reproduce the exploit – genius.
Patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted. https://t.co/HYKF2lA7sn
— National Security Council (@WHNSC) March 6, 2021
According to the White House’s press secretary, the US government is expressing growing concerns about the far-reaching impact of the Exchange hack and has issued an emergency warning urging federal agencies to immediately patch their systems.
Irish DPC: 4,660 GDPR-related complaints
The Irish Data Protection Commission (DPC) released its 2020 Annual Report detailing the comprehensive span of regulatory work the organisation has done in overseeing the application of EU data protection and e-privacy laws.
The report outlines and discusses the large scale inquires the DPC has undertaken such as –
- received breach notifications;
- special projects relating to children;
- special projects relating to cookies;
- the impact and challenges of Brexit; and,
- the impact and challenges of COVID-19.
The DPC Annual Report conclusions cover the period January 1, 2020 to December 31, 2020.
- DPC handled 10,151 total cases in 2020 (up 9% compared to 2019)
- DPC received 4,660 complaints from individuals under the GDPR
- the most frequent GDPR queries and complaints in 2020:
- access requests,
- direct marketing, and
- the right to be forgotten.
- the organisation received 6,628 valid security data breach notifications (up 10% compared to 2019)
- December 31, 2020: the DPC had 83 statutory inquiries (on-hand) of which 27 were cross-border ones
- the DPC received 354 cross-border processing complaints via the GDPR’s One-Stop-Shop
- December 2020: first fine in a cross-border case – Twitter International Company (€450,000)
- among the complaints filed 144 concerned electronic direct marketing of which 66 complaints related to emails
- DPC also reports a new phenomenon: both organisations and individuals are attempting to misuse the GDPR
Ireland’s Data Protection Commission currently has 27 open privacy investigations against Apple, Google and other tech companies who’ve set up an EU hub in Ireland.
Interesting fact: Facebook accounts for nine of these privacy probes with more pending into WhatsApp and Instagram.
You can download the Irish Data Protection Commission 2020 Annual Report here.
Do you have any suggestions or ideas about which email industry news topics you’d like us to look out for in the future? Write your requests below. We’ll keep an eye out (or two) so you don’t have to – and all for FREE, of course.
EmailOut offers the most generous email marketing software freemium product for professional micro-businesses and SMEs across the globe coupled with the very best rates for large volume corporate senders. Take a look now.