Cyber Incident Victim: Austrian Financial Market Authority (FMA)

On or around May 31, 2023, the Austrian Financial Market Authority (Finanzmarktaufsicht or FMA) fell victim to a global, simultaneous cyber attack. The intrusion exploited a previously unknown security vulnerability within software known as MOVEit, a secure file transfer application developed by Progress Software. The attackers successfully leveraged this zero-day flaw to infiltrate the FMA's systems. Their specific action involved the unauthorized copying and theft of data sets that were residing on the compromised platform. The FMA utilized this software as a part of its secure file transfer infrastructure, making it a target for the widespread campaign.

The nature of the stolen data was described by the FMA as highly heterogeneous. This characteristic was a direct result of the software's function as a data transfer tool; the information was not stored in a centralized database but was instead in transit or staged for transfer at the time of the breach. The compromised data sets were reported to be a random selection of what was available on the platform, leading to a varied and mixed collection of information. Confirmed examples of the affected data types included salary information and similar personnel-related records. The FMA emphasized that the data was not uniform in its structure or sensitivity due to the circumstances of the attack.

Upon discovery of the intrusion, the FMA's response was immediate and multifaceted. The organization's first priority was to address the initial attack vector. Working with external cybersecurity specialists, the FMA was able to promptly close the security gap in the MOVEit software, thereby preventing any further unauthorized access or data exfiltration from their instance of the platform. Following this initial containment, the organization began working at high intensity to limit and remediate the damage caused by the incident. This involved a thorough forensic process to identify the full scope of the compromise.

A critical step in the response was the identification and analysis of the specific data sets that were stolen. The FMA conducted a data protection assessment to determine the legal and privacy implications of the breach. The analysis concluded that the number of individuals indirectly affected by this data theft was limited. This assessment was based on the heterogeneous and non-systematic nature of the stolen data, which reduced its overall datenschutzrechtliche Relevanz, or data protection relevance. As a result of this finding, the FMA decided to directly inform only those individuals whose data was determined to be impacted, rather than issuing a broader public notification.

The FMA also fulfilled its legal and regulatory obligations by notifying the relevant authorities. This included reporting the incident to the appropriate law enforcement agencies to initiate criminal investigations into the theft. The organization was transparent about the event, publicly acknowledging its occurrence through an official statement published on its website. For media inquiries, the FMA directed journalists to its spokesman, Klaus Grubelnik, providing both a telephone number and an email address to facilitate communication. The public statement aimed to provide factual details about the attack, the nature of the stolen data, and the steps taken in response, while also conveying that the data protection risk was assessed as being contained. The incident was part of a larger global attack pattern targeting the MOVEit vulnerability, situating the FMA as one of many entities impacted by this specific exploit during that time period.