Clifford Chance

Reports indicate that at least 30,000 companies have fallen victim to a hack compromising their Outlook email systems and broader IT networks.

Background of the attack

On March 2, 2021, Microsoft announced that its Exchange Server software, commonly used enterprise software for businesses that syncs and communicates with the Outlook email application, had been attacked by a hacking group the company referred to as Hafnium. It has been reported that the attack has allowed unauthorized access to the networks and email systems of at least 30,000 US companies, with some estimating the number of victim companies at over 250,000.

According to Microsoft, Hafnium was able to access individual organizations' Microsoft Exchange Servers by exploiting a number of zero-day exploits (previously unknown software vulnerabilities). Once Hafnium obtained access to email servers, it was reportedly able to install malware that allowed it to access and control an organization's wider networks. Microsoft has stated that it does not know the full extent of the access and theft.

Microsoft has released a software update to remedy the vulnerabilities used by Hafnium and has encouraged all Exchange Server customers to apply the updates immediately. On March 8, 2021 Microsoft announced that it continued to observe actors taking advantage of unpatched systems and also published a feed of observed indicators of compromise. However, even after the patch is installed, unauthorized actors may still have access to victims' networks if they obtained access prior to the patch installation.

Post-detection risks

Given the widespread nature of this attack, organizations should immediately assess whether their systems contain any indicators of compromise. If companies are not able to eradicate malware from their networks, some experts have warned that affected companies may soon fall victim to ransomware attacks. For further information on addressing the risks of ransomware attacks, see our publication here.

If indicators of compromise are detected, it is important that companies conduct an investigation to assess the scope of any unauthorized access to their systems. Importantly, if a network or email account holds personal data that was accessed or exfiltrated by malicious actors, it is likely that data breach notification laws of multiple jurisdictions will be triggered. The importance of conducting an adequate investigation to determine the scope of notification obligations following an unauthorized network access incident was highlighted recently by the New York Department of Financial Services, in its first settlement of a cyber-related enforcement action, which we analyze and discuss here.