[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJKadqOfnTk_QbuCH1z8gz5Nth-yRsOySZnzOft8hpyo":3},{"article":4,"iocs":53},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":27,"category":28,"article_tags":32},"f3e50f76-4724-4896-a102-b5effa6d8a19","SG Nürnberg - S 5 SF 65\u002F24 DS","sg-nurnberg-s-5-sf-65-24-ds-e77f76","← Older revision Revision as of 09:02, 17 July 2026 Line 101: Line 101: On 31 May 2023, the software developer publicly announced a critical, previously unknown \"zero-day\" vulnerability in the software (later assigned CVE-2023-34362). At that exact moment, no security patch was available. On 31 May 2023, the software developer publicly announced a critical, previously unknown \"zero-day\" vulnerability in the software (later assigned CVE-2023-34362). At that exact moment, no security patch was available. On the very same day, 31 May 2023, the processor—alongside thousands of other companies worldwide—became the victim of a global cyberattack carried out by the hacker group \"Clop.\" The hackers exploited this zero-day vulnerability to install a \"web-shell\" backdoor (typically named human2.aspx), bypassing authentication to exfiltrate database records. The compromised data included the data subject's first and last name, health insurance number, bonus points balance, and a bank account number (IBAN) belonging to her mother. No medical, health, or social security data was exfiltrated. On the very same day, 31 May 2023, the processor – alongside thousands of other companies worldwide – became the victim of a global cyberattack carried out by the hacker group \"Clop.\" The hackers exploited this zero-day vulnerability to install a \"web-shell\" backdoor (typically named human2.aspx), bypassing authentication to exfiltrate database records. The compromised data included the data subject's first and last name, health insurance number, bonus points balance, and a bank account number (IBAN) belonging to her mother. No medical, health, or social security data was exfiltrated. On 1 June 2023, the developer released a security patch, which the processor installed immediately. On 1 June 2023, the developer released a security patch, which the processor installed immediately. Line 127: Line 127: This judgment is legally and technically flawed because the Court fundamentally misapplied the concept of the \"state of the art\" under Article 32(1) of the General Data Protection Regulation. By treating a classic SQL injection vulnerability as an unavoidable, force-majeure \"zero-day\" event, the Court collapsed the strict statutory requirement of the state of the art into a much weaker standard of mere \"common market practice.\" This judgment is legally and technically flawed because the Court fundamentally misapplied the concept of the \"state of the art\" under Article 32(1) of the General Data Protection Regulation. By treating a classic SQL injection vulnerability as an unavoidable, force-majeure \"zero-day\" event, the Court collapsed the strict statutory requirement of the state of the art into a much weaker standard of mere \"common market practice.\" Under Article 32(1) of the General Data Protection Regulation, both controllers and processors are legally bound to ensure a level of security appropriate to the risk, explicitly taking into account the state of the art. As in commentary (e.g. Hansen, in: Simitis\u002FHornung\u002FSpiecker gen. Döhmann, Datenschutzrecht, 2nd edition 2025, Article 32, Paragraphs 15–16), while Article 32 does not directly bind software manufacturers, it creates a strict indirect obligation for controllers and processors. They must carefully select, evaluate, and deploy only those products and services that actively enable them to fulfill their data protection obligations. Software with glaring, un-audited security gaps must not be deployed. Under [[Article 32 GDPR|Article 32(1) GDPR]], both controllers and processors are legally bound to ensure a level of security appropriate to the risk, explicitly taking into account the state of the art. As in commentary (e.g. Hansen, in: Simitis\u002FHornung\u002FSpiecker gen. Döhmann, Datenschutzrecht, 2nd edition 2025, Article 32, Paragraphs 15–16), while [[Article 32 GDPR|Article 32]] does not directly bind software manufacturers, it creates a strict indirect obligation for controllers and processors. They must carefully select, evaluate, and deploy only those products and services that actively enable them to fulfill their data protection obligations. Software with glaring, un-audited security gaps must not be deployed. In modern software engineering, a secure software development lifecycle, which integrates automated static application security testing, dynamic application security testing, and software composition analysis, is the indisputable state of the art. SQL injection is one of the oldest, most thoroughly documented, and easily preventable vulnerability classes in existence. It can be entirely neutralized during the development phase through standardized automated tools. The fact that a commercial file transfer platform allowed unauthenticated database access through such a fundamental flaw demonstrates a systemic failure of secure-by-design principles at the development level. In modern software engineering, a secure software development lifecycle, which integrates automated static application security testing, dynamic application security testing, and software composition analysis, is the indisputable state of the art. SQL injection is one of the oldest, most thoroughly documented, and easily preventable vulnerability classes in existence. It can be entirely neutralized during the development phase through standardized automated tools. The fact that a commercial file transfer platform allowed unauthenticated database access through such a fundamental flaw demonstrates a systemic failure of secure-by-design principles at the development level. The Court's reasoning creates a dangerous legal safe harbour that actively undermines the preventive purpose of Article 32 of the General Data Protection Regulation. Under the Court’s flawed logic, an operator is fully exculpated from liability under Article 82(3) of the General Data Protection Regulation simply by procuring a widely used, \"market-leading\" commercial product, regardless of how deficient that product's underlying security architecture is. This effectively shifts the entire risk of vendor-side engineering failures onto the data subjects. By failing to scrutinize whether the software itself complied with the secure software development lifecycle as the state of the art, the Court misapplied the law, transforming what should be a rigorous assessment of technical security into a superficial checklist of vendor popularity. The Court's reasoning creates a dangerous legal safe harbour that actively undermines the preventive purpose of [[Article 32 GDPR]]. Under the Court’s flawed logic, an operator is fully exculpated from liability under [[Article 82 GDPR|Article 82(3) GDPR]] simply by procuring a widely used, \"market-leading\" commercial product, regardless of how deficient that product's underlying security architecture is. This effectively shifts the entire risk of vendor-side engineering failures onto the data subjects. By failing to scrutinize whether the software itself complied with the secure software development lifecycle as the state of the art, the Court misapplied the law, transforming what should be a rigorous assessment of technical security into a superficial checklist of vendor popularity. == Further Resources == == Further Resources ==","A German court (SG Nürnberg) issued a judgment in case S 5 SF 65\u002F24 DS regarding GDPR liability arising from the May 31, 2023 Clop ransomware campaign that exploited CVE-2023-34362, a SQL injection zero-day in file transfer software. The court's reasoning exculpated the data processor despite the breach, but legal commentary critiques this as misapplying GDPR Article 32 by treating the vulnerability as unavoidable rather than holding vendors and operators to secure-by-design standards.","German court ruling on GDPR liability for Clop ransomware exploitation of CVE-2023-34362 SQL injection flaw.","Help SG Nürnberg - S 5 SF 65\u002F24 DS: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 11:20, 16 July 2026 view sourceManTechnologist (talk | contribs)861 edits ← Older edit Latest revision as of 09:02, 17 July 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators83 editsmTag: Visual edit Line 101: Line 101: On 31 May 2023, the software developer publicly announced a critical, previously unknown \"zero-day\" vulnerability in the software (later assigned CVE-2023-34362). At that exact moment, no security patch was available.On 31 May 2023, the software developer publicly announced a critical, previously unknown \"zero-day\" vulnerability in the software (later assigned CVE-2023-34362). At that exact moment, no security patch was available. On the very same day, 31 May 2023, the processor—alongside thousands of other companies worldwide—became the victim of a global cyberattack carried out by the hacker group \"Clop.\" The hackers exploited this zero-day vulnerability to install a \"web-shell\" backdoor (typically named human2.aspx), bypassing authentication to exfiltrate database records. The compromised data included the data subject's first and last name, health insurance number, bonus points balance, and a bank account number (IBAN) belonging to her mother. No medical, health, or social security data was exfiltrated.On the very same day, 31 May 2023, the processor – alongside thousands of other companies worldwide – became the victim of a global cyberattack carried out by the hacker group \"Clop.\" The hackers exploited this zero-day vulnerability to install a \"web-shell\" backdoor (typically named human2.aspx), bypassing authentication to exfiltrate database records. The compromised data included the data subject's first and last name, health insurance number, bonus points balance, and a bank account number (IBAN) belonging to her mother. No medical, health, or social security data was exfiltrated. On 1 June 2023, the developer released a security patch, which the processor installed immediately.On 1 June 2023, the developer released a security patch, which the processor installed immediately. Line 127: Line 127: This judgment is legally and technically flawed because the Court fundamentally misapplied the concept of the \"state of the art\" under Article 32(1) of the General Data Protection Regulation. By treating a classic SQL injection vulnerability as an unavoidable, force-majeure \"zero-day\" event, the Court collapsed the strict statutory requirement of the state of the art into a much weaker standard of mere \"common market practice.\"This judgment is legally and technically flawed because the Court fundamentally misapplied the concept of the \"state of the art\" under Article 32(1) of the General Data Protection Regulation. By treating a classic SQL injection vulnerability as an unavoidable, force-majeure \"zero-day\" event, the Court collapsed the strict statutory requirement of the state of the art into a much weaker standard of mere \"common market practice.\" Under Article 32(1) of the General Data Protection Regulation, both controllers and processors are legally bound to ensure a level of security appropriate to the risk, explicitly taking into account the state of the art. As in commentary (e.g. Hansen, in: Simitis\u002FHornung\u002FSpiecker gen. Döhmann, Datenschutzrecht, 2nd edition 2025, Article 32, Paragraphs 15–16), while Article 32 does not directly bind software manufacturers, it creates a strict indirect obligation for controllers and processors. They must carefully select, evaluate, and deploy only those products and services that actively enable them to fulfill their data protection obligations. Software with glaring, un-audited security gaps must not be deployed.Under [[Article 32 GDPR|Article 32(1) GDPR]], both controllers and processors are legally bound to ensure a level of security appropriate to the risk, explicitly taking into account the state of the art. As in commentary (e.g. Hansen, in: Simitis\u002FHornung\u002FSpiecker gen. Döhmann, Datenschutzrecht, 2nd edition 2025, Article 32, Paragraphs 15–16), while [[Article 32 GDPR|Article 32]] does not directly bind software manufacturers, it creates a strict indirect obligation for controllers and processors. They must carefully select, evaluate, and deploy only those products and services that actively enable them to fulfill their data protection obligations. Software with glaring, un-audited security gaps must not be deployed. In modern software engineering, a secure software development lifecycle, which integrates automated static application security testing, dynamic application security testing, and software composition analysis, is the indisputable state of the art. SQL injection is one of the oldest, most thoroughly documented, and easily preventable vulnerability classes in existence. It can be entirely neutralized during the development phase through standardized automated tools. The fact that a commercial file transfer platform allowed unauthenticated database access through such a fundamental flaw demonstrates a systemic failure of secure-by-design principles at the development level.In modern software engineering, a secure software development lifecycle, which integrates automated static application security testing, dynamic application security testing, and software composition analysis, is the indisputable state of the art. SQL injection is one of the oldest, most thoroughly documented, and easily preventable vulnerability classes in existence. It can be entirely neutralized during the development phase through standardized automated tools. The fact that a commercial file transfer platform allowed unauthenticated database access through such a fundamental flaw demonstrates a systemic failure of secure-by-design principles at the development level. The Court's reasoning creates a dangerous legal safe harbour that actively undermines the preventive purpose of Article 32 of the General Data Protection Regulation. Under the Court’s flawed logic, an operator is fully exculpated from liability under Article 82(3) of the General Data Protection Regulation simply by procuring a widely used, \"market-leading\" commercial product, regardless of how deficient that product's underlying security architecture is. This effectively shifts the entire risk of vendor-side engineering failures onto the data subjects. By failing to scrutinize whether the software itself complied with the secure software development lifecycle as the state of the art, the Court misapplied the law, transforming what should be a rigorous assessment of technical security into a superficial checklist of vendor popularity.The Court's reasoning creates a dangerous legal safe harbour that actively undermines the preventive purpose of [[Article 32 GDPR]]. Under the Court’s flawed logic, an operator is fully exculpated from liability under [[Article 82 GDPR|Article 82(3) GDPR]] simply by procuring a widely used, \"market-leading\" commercial product, regardless of how deficient that product's underlying security architecture is. This effectively shifts the entire risk of vendor-side engineering failures onto the data subjects. By failing to scrutinize whether the software itself complied with the secure software development lifecycle as the state of the art, the Court misapplied the law, transforming what should be a rigorous assessment of technical security into a superficial checklist of vendor popularity. == Further Resources ==== Further Resources == Latest revision as of 09:02, 17 July 2026 SG Nürnberg - S 5 SF 65\u002F24 DS Court: SG Nürnberg (Germany) Jurisdiction: Germany Relevant Law: Article 4(7) GDPR Article 4(8) GDPR Article 4(10) GDPR Article 4(12) GDPR Article 5(1)(f) GDPR Article 24(1) GDPR Article 24(1) GDPR Article 26 GDPR Article 28 GDPR Article 32(1) GDPR Article 32(2) GDPR Article 82(1) GDPR Article 82(2) GDPR Arti","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=SG_N%C3%BCrnberg_-_S_5_SF_65\u002F24_DS&diff=52339&oldid=52255","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F4\u002F4c\u002FCourts_logo1.png","2026-07-17T09:02:06+00:00","2026-07-17T10:00:28.341419+00:00",8,[18,21,24],{"name":19,"type":20},"Clop","threat_actor",{"name":22,"type":23},"May 2023 Clop ransomware global campaign (CVE-2023-34362)","campaign",{"name":25,"type":26},"SQL injection","technology","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":27,"icon":29,"name":30,"slug":31},null,"GDPR","gdpr",[33,38,43,48],{"category":34},{"id":35,"icon":29,"name":36,"slug":37},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",{"category":39},{"id":40,"icon":29,"name":41,"slug":42},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":44},{"id":45,"icon":29,"name":46,"slug":47},"80544778-fabb-4dcd-aa35-17492e5dcf4f","Vulnerabilities","vulnerabilities",{"category":49},{"id":50,"icon":29,"name":51,"slug":52},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[54,58],{"type":55,"value":56,"context":57},"cve","CVE-2023-34362","Critical SQL injection zero-day in file transfer software exploited by Clop on 31 May 2023",{"type":59,"value":60,"context":61},"malware","human2.aspx","Web-shell backdoor deployed by Clop during exploitation of CVE-2023-34362"]