SG Nürnberg - S 5 SF 65/24 DS
German court dismisses GDPR damages claim, wrongly classifying SQL injection vulnerability as unavoidable zero-day.
Summary
A German court (SG Nürnberg) dismissed a €3,000 GDPR damages claim against a health insurer and processor, ruling that a SQL injection vulnerability exploited to breach personal data did not violate Article 32 security requirements. Legal experts argue the judgment is fundamentally flawed because it mischaracterizes a preventable SQL injection—one of the oldest, most easily mitigated vulnerability classes—as an unavoidable zero-day event, collapsing strict GDPR "state of the art" obligations into a weaker "common market practice" standard. The ruling contradicts established GDPR doctrine requiring controllers and processors to implement secure development lifecycle practices including automated security testing and composition analysis.
Full text
Help SG Nürnberg - S 5 SF 65/24 DS: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 11:05, 16 July 2026 view sourceManTechnologist (talk | contribs)861 edits Tag: submission [1.0] Revision as of 11:07, 16 July 2026 view source ManTechnologist (talk | contribs)861 edits Tag: Visual editNewer edit → Line 90: Line 90: }}}} A court dismissed a data subject's €3,000 damages claim against a health insurer and its processor, holding that a zero-day hack did not violate security requirements under [[Article 32 GDPR|Article 32 GDPR]].A court dismissed a data subject's €3,000 damages claim against a health insurer and its processor, holding that a zero-day hack did not violate security requirements under [[Article 32 GDPR]]. == English Summary ==== English Summary == Line 127: Line 127: This judgment is legally and technically flawed because the Court fundamentally misapplied the concept of the "state of the art" under Article 32(1) of the General Data Protection Regulation. By treating a classic SQL injection vulnerability as an unavoidable, force-majeure "zero-day" event, the Court collapsed the strict statutory requirement of the state of the art into a much weaker standard of mere "common market practice."This judgment is legally and technically flawed because the Court fundamentally misapplied the concept of the "state of the art" under Article 32(1) of the General Data Protection Regulation. By treating a classic SQL injection vulnerability as an unavoidable, force-majeure "zero-day" event, the Court collapsed the strict statutory requirement of the state of the art into a much weaker standard of mere "common market practice." Under Article 32(1) of the General Data Protection Regulation, both controllers and processors are legally bound to ensure a level of security appropriate to the risk, explicitly taking into account the state of the art. As established in commentary (Hansen, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, 2nd edition 2025, Article 32, Paragraphs 15–16), while Article 32 does not directly bind software manufacturers, it creates a strict indirect obligation for controllers and processors. They must carefully select, evaluate, and deploy only those products and services that actively enable them to fulfill their data protection obligations. Software with glaring, un-audited security gaps must not be deployed.Under Article 32(1) of the General Data Protection Regulation, both controllers and processors are legally bound to ensure a level of security appropriate to the risk, explicitly taking into account the state of the art. As in commentary (e.g. Hansen, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, 2nd edition 2025, Article 32, Paragraphs 15–16), while Article 32 does not directly bind software manufacturers, it creates a strict indirect obligation for controllers and processors. They must carefully select, evaluate, and deploy only those products and services that actively enable them to fulfill their data protection obligations. Software with glaring, un-audited security gaps must not be deployed. In modern software engineering, a secure software development lifecycle, which integrates automated static application security testing, dynamic application security testing, and software composition analysis, is the indisputable state of the art. SQL injection is one of the oldest, most thoroughly documented, and easily preventable vulnerability classes in existence. It can be entirely neutralized during the development phase through standardized automated tools. The fact that a commercial file transfer platform allowed unauthenticated database access through such a fundamental flaw demonstrates a systemic failure of secure-by-design principles at the development level.In modern software engineering, a secure software development lifecycle, which integrates automated static application security testing, dynamic application security testing, and software composition analysis, is the indisputable state of the art. SQL injection is one of the oldest, most thoroughly documented, and easily preventable vulnerability classes in existence. It can be entirely neutralized during the development phase through standardized automated tools. The fact that a commercial file transfer platform allowed unauthenticated database access through such a fundamental flaw demonstrates a systemic failure of secure-by-design principles at the development level. Revision as of 11:07, 16 July 2026 SG Nürnberg - S 5 SF 65/24 DS Court: SG Nürnberg (Germany) Jurisdiction: Germany Relevant Law: Article 4(7) GDPR Article 4(8) GDPR Article 4(10) GDPR Article 4(12) GDPR Article 5(1)(f) GDPR Article 24(1) GDPR Article 24(1) GDPR Article 26 GDPR Article 28 GDPR Article 32(1) GDPR Article 32(2) GDPR Article 82(1) GDPR Article 82(2) GDPR Article 85 GDPR § 183 SGG§ 81b(1) SGB X Decided: 10.06.2026 Published: 18.06.2026 Parties: National Case Number/Name: S 5 SF 65/24 DS European Case Law Identifier: Appeal from: Appeal to: Unknown Original Language(s): German Original Source: sozialgerichtsbarkeit.de (in German) Initial Contributor: n/a A court dismissed a data subject's €3,000 damages claim against a health insurer and its processor, holding that a zero-day hack did not violate security requirements under Article 32 GDPR. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The data subject (a child born in 2018), represented by her parents, was insured with the controller (a statutory health insurance provider) and participated in its digital bonus programme. The bonus programme was managed via an app. To handle the information technology operations of this programme, the controller hired the processor (an IT service provider), establishing a data processing agreement under Article 28 GDPR alongside specific information security guidelines. To provide these services, the processor utilised "MOVEit Transfer," a market-leading file transfer software developed by Progress Software Corp. On 31 May 2023, the software developer publicly announced a critical, previously unknown "zero-day" vulnerability in the software (later assigned CVE-2023-34362). At that exact moment, no security patch was available. On the very same day, 31 May 2023, the processor—alongside thousands of other companies worldwide—became the victim of a global cyberattack carried out by the hacker group "Clop." The hackers exploited this zero-day vulnerability to install a "web-shell" backdoor (typically named human2.aspx), bypassing authentication to exfiltrate database records. The compromised data included the data subject's first and last name, health insurance number, bonus points balance, and a bank account number (IBAN) belonging to her mother. No medical, health, or social security data was exfiltrated. On 1 June 2023, the developer released a security patch, which the processor installed immediately. On 2 June 2023, the German Federal Office for Information Security (BSI) issued a formal IT security warning (No. 2023-240133-1100, Version 1.1). The BSI classified the IT threat level as "3 / Orange" (business-critical), confirming active exploitation with data exfiltration. The BSI recommended immediately blocking all HTTP and HTTPS traffic to MOVEit environments, checking for specific Indicators of Compromise (IoCs) in the web server directories, and applying the newly released patch before reconnecting systems to the network. On 16 June 2023, the processor informed the controller about the incident. On 17 June 2023, the controller issued a public press release confirming that its external service provider for the bonus programme had been targeted on 31 May 2023. The release stated that the security vulnerability had been closed, that there was never any connection to the controller's internal IT systems, and that relev