Bavarian Data Protection Authority automatically scans several thousand companies’ email servers for security vulnerabilities

Written on 7 Oct 2014

In September 2014, 750 Bavaria seated companies found a notice letter from the Bavarian data protection authority in their mailboxes. After having scanned about 3,500 email servers (mx records) of about 2,200 companies with an automated scanning tool, the authority found that 750 email servers did not comply with current security standards. The authority requested the companies to update their servers accordingly. Now, the companies do have to react in order to avoid further steps – administrative fines are not excluded.

What had happened? The Bavarian Data Protection Authority (DPA, Bayerisches Landesamt für Datenschutzaufsicht) had already used automated scanning tools in the past in order to automatically discover data protection law breaches and prosecute the affected companies. Now, the DPA took a detailed look at data security and approached companies that had at least one of the following security issues:

The email server did not offer encrypted connections (STARTTLS for the establishing of an encrypted connection and respective encryption for the following data exchange).

Please note: the DPA does not require an end-to-end encryption, which is usually achieved by encrypting the emails themselves, e.g. by using PGP, GnuPG or a comparable encryption tool. The encryption which the DPA requests does only affect the connection between email clients and servers. However, with public wireless hotspots becoming more and more widespread, it has become a common exercise by hackers and script kiddies to read unencrypted email traffic sent over a publicly accessible, unencrypted Wi-Fi connection – which is prevented by encrypted server connections as requested by the DPA.

Even when offering encrypted connections, Perfect Forward Secrecy had not been implemented.

Until now, many encrypted connections use the same encryption keys over the time. In case a third party records encrypted traffic for a longer time and gets hold of the encryption key later on, this party is able to decrypt all encrypted traffic it has been recorded in the past. This is what many IT security experts fear to have happened in the course of the Heartbleed bug (see below). In order to prevent decryption of preemptively stored data, Perfect Forward Secrecy demands to change the encryption keys frequently.

The Heartbleed bug was still existent

The Heartbleed bug is one of the most severe security vulnerabilities of the last years. Even though information on the Heartbleed bug has been spread on the media, a large number of IT systems is still vulnerable. The Heartbleed bug allows everyone with sufficient technical skills to read data – including emails, private encryption keys or any other data – from every affected device via publicly available interfaces. No specific access to any hardware or software is required, just an internet connection. The Heartbleed bug is contained in certain versions of the OpenSSL library, a common tool for implementing encrypted communication, widely used in all kinds of devices from servers to android smartphones.

The DPA sent out notices to the companies affected and requested further information about the breach. The concerned companies now have to remedy the security breaches as soon as possible. The DPA highlighted its ability to impose administrative fines in case of non-cooperation of the affected companies and that it may instruct them to take appropriate measures.

The Bavarian DPA announced that it may provide the scanning tool also to DPA’s of other German Federal States. And in fact, the DPA of Baden-Württemberg did scan 11.000 websites for the Heartbleed bug and found 46 vulnerable providers that were approached in the same way.

Every company should now ensure its compliance with the requirements outlined above. But in case the Heartbleed bug should still be unfixed, a possible contact with the DPA is not the main problem given the seriousness of the potential data leak.

And by the way: The foregoing affects almost every company, not only public email providers. If a company receives emails under its own domain name, it is running an email server and has to comply with the requirements above. The DPA highlights that also companies which have outsourced their email service are responsible for their outsourcer’s compliance.

The foregoing has shown that German DPA’s are now proactively scanning IT which is accessible through the Internet for security vulnerabilities. In this case, compliance with legal requirements can easily be checked – and re-checked after having sent out notices.  

Thus, it should be in every company’s interest to fix at least the Heartbleed bug as soon as possible. But also unencrypted email servers are definitely not state of the art anymore and should be updated, together with the implementation of Perfect Forward Secrecy. Companies that were approached by the DPA should act as fast as possible in order to avoid administrative fines. But also those companies that have not been contacted by the DPA should take action: It may be better to plan such implementations in advance instead of being forced to update the systems on a very short term and under the pressure of possible fines.