SG Nürnberg - S 5 SF 65/24 DS
German court dismisses €3,000 GDPR damages claim against health insurer over zero-day MOVEit hack.
Summary
A German Social Court (SG Nürnberg) dismissed a data subject's €3,000 damages claim against a statutory health insurer and its IT processor following a May 2023 zero-day exploitation of MOVEit Transfer software by the Clop hacker group. The court held that the processor's use of a market-leading file transfer tool, even when exploited via a previously unknown vulnerability with no available patch at the time of attack, did not constitute a violation of Article 32 GDPR security requirements. The incident exposed the child data subject's name, health insurance number, bonus points, and her mother's IBAN, but no medical or sensitive health data.
Full text
Help SG Nürnberg - S 5 SF 65/24 DS: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 11:05, 16 July 2026 view source ManTechnologist (talk | contribs)861 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 11:05, 16 July 2026 SG Nürnberg - S 5 SF 65/24 DS Court: SG Nürnberg (Germany) Jurisdiction: Germany Relevant Law: Article 4(7) GDPR Article 4(8) GDPR Article 4(10) GDPR Article 4(12) GDPR Article 5(1)(f) GDPR Article 24(1) GDPR Article 24(1) GDPR Article 26 GDPR Article 28 GDPR Article 32(1) GDPR Article 32(2) GDPR Article 82(1) GDPR Article 82(2) GDPR Article 85 GDPR § 183 SGG§ 81b(1) SGB X Decided: 10.06.2026 Published: 18.06.2026 Parties: National Case Number/Name: S 5 SF 65/24 DS European Case Law Identifier: Appeal from: Appeal to: Unknown Original Language(s): German Original Source: sozialgerichtsbarkeit.de (in German) Initial Contributor: n/a A court dismissed a data subject's €3,000 damages claim against a health insurer and its processor, holding that a zero-day hack did not violate security requirements under Article 32 GDPR. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The data subject (a child born in 2018), represented by her parents, was insured with the controller (a statutory health insurance provider) and participated in its digital bonus programme. The bonus programme was managed via an app. To handle the information technology operations of this programme, the controller hired the processor (an IT service provider), establishing a data processing agreement under Article 28 GDPR alongside specific information security guidelines. To provide these services, the processor utilised "MOVEit Transfer," a market-leading file transfer software developed by Progress Software Corp. On 31 May 2023, the software developer publicly announced a critical, previously unknown "zero-day" vulnerability in the software (later assigned CVE-2023-34362). At that exact moment, no security patch was available. On the very same day, 31 May 2023, the processor—alongside thousands of other companies worldwide—became the victim of a global cyberattack carried out by the hacker group "Clop." The hackers exploited this zero-day vulnerability to install a "web-shell" backdoor (typically named human2.aspx), bypassing authentication to exfiltrate database records. The compromised data included the data subject's first and last name, health insurance number, bonus points balance, and a bank account number (IBAN) belonging to her mother. No medical, health, or social security data was exfiltrated. On 1 June 2023, the developer released a security patch, which the processor installed immediately. On 2 June 2023, the German Federal Office for Information Security (BSI) issued a formal IT security warning (No. 2023-240133-1100, Version 1.1). The BSI classified the IT threat level as "3 / Orange" (business-critical), confirming active exploitation with data exfiltration. The BSI recommended immediately blocking all HTTP and HTTPS traffic to MOVEit environments, checking for specific Indicators of Compromise (IoCs) in the web server directories, and applying the newly released patch before reconnecting systems to the network. On 16 June 2023, the processor informed the controller about the incident. On 17 June 2023, the controller issued a public press release confirming that its external service provider for the bonus programme had been targeted on 31 May 2023. The release stated that the security vulnerability had been closed, that there was never any connection to the controller's internal IT systems, and that relevant supervisory authorities had been notified. The controller subsequently notified the data subject's parents. On 27 March 2024, the data subject, via legal counsel, sent a formal warning letter to the controller demanding an injunction, a declaration of liability for all potential future damages, and non-material damages of at least €3,000. Following the controller's refusal, the data subject filed a lawsuit with the Nuremberg Social Court (Sozialgericht Nürnberg), later expanding the claim to the processor as a joint defendant. Holding The Court dismissed the lawsuit as partly inadmissible and otherwise unfounded, establishing the following legal principles: First, the Court held that a successful third-party cyberattack does not establish an irrebuttable presumption that a controller or processor failed to implement appropriate security measures under Article 32(1) GDPR and Article 5(1)(f) GDPR. To escape liability under Article 82(3) GDPR, an operator must prove they implemented robust baseline security controls (such as multi-factor authentication, encryption, and lockout policies) and applied a security patch immediately upon its release by the vendor, even if this occurred before formal alerts were issued by national IT security authorities. Second, the Court held that a claim for non-material damages under Article 82(1) GDPR based on the fear or distress of future data misuse cannot be established if the data subject is a minor who has no subjective knowledge or cognitive awareness of the data breach. Furthermore, if the compromised financial data (such as an IBAN) does not belong to the data subject personally, there is no direct risk of financial harm to them, rendering the alleged fear of financial damage unfounded. Third, the Court held that an injunction claim is inadmissible due to a lack of specificity if it merely demands that a controller stop making personal data accessible to third parties without implementing "state-of-the-art" security measures, without specifying the concrete technical or organisational measures the controller is required to take. Fourth, the Court held that a declaratory claim for potential future material damages is inadmissible under national procedural law (§ 55(1) SGG) if there is no realistic probability of future financial harm, particularly because the compromised bank account belonged to a third party (the mother) and the software vulnerability was immediately patched. Comment This judgment is legally and technically flawed because the Court fundamentally misapplied the concept of the "state of the art" under Article 32(1) of the General Data Protection Regulation. By treating a classic SQL injection vulnerability as an unavoidable, force-majeure "zero-day" event, the Court collapsed the strict statutory requirement of the state of the art into a much weaker standard of mere "common market practice." Under Article 32(1) of the General Data Protection Regulation, both controllers and processors are legally bound to ensure a level of security appropriate to the risk, explicitly taking into account the state of the art. As established in commentary (Hansen, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, 2nd edition 2025, Article 32, Paragraphs 15–16), while Article 32 does not directly bind software manufacturers, it creates a strict indirect obligation for controllers and processors. They must carefully select, evaluate, and deploy only those products and services that actively enable them to fulfill their data protection obligations. Software with glaring, un-audited security gaps must not be deployed. In modern software engineering, a secure software development lifecycle, which integrates automated static application security testing, dynamic application security testing, and software composition analysis, is the indisputable state of the art. SQL injection is one of the oldest, most thoroughly documented, and easily preventable vulnerability classes in existence. It can be entirely neutralized during the development phase through standardized automated tools. The fact that a commercial file transfer platform allowed unauthenticated database access through such a fundamental flaw demonstrates a systemic failur
Indicators of Compromise
- cve — CVE-2023-34362
- malware — human2.aspx