New York Issues Letter to Regulated Entities Regarding Microsoft Exchange Breach

March 12, 2021

The New York Department of Financial Services’ (DFS) Cybersecurity Division issued a March 9 letter to regulated entities regarding the recent Microsoft Exchange breach in which thousands of organizations were compromised via vulnerabilities in the Microsoft Exchange servers.

On March 2, 2021, Microsoft reported that four vulnerabilities were discovered in the Microsoft Exchange servers from 2013 and later. The company made patches available for these vulnerabilities, but many organizations were compromised either before the patches were available or before they were applied, according to DFS.

This comes as Reuters reported on March 7 that more than 20,000 U.S. organizations had been compromised through a back door installed via recently patched flaws in Microsoft Corp.’s email software, according to a person familiar with the U.S. government’s response.

Photographer: Chris Ratcliffe/Bloomberg

As of early March, the hacking had already reached more places than all of the tainted code downloaded from SolarWinds Corp, Reuters went on to report, with records showing that tens of thousands of organizations in Asia and Europe were also affected.

DFS in its letter urged all regulated entities with vulnerable Microsoft Exchange services to act immediately to patch or disconnect vulnerable servers and use the tools provided by Microsoft to identify and remediate any compromise exploiting these vulnerabilities.

“Regulated entities should immediately assess the risk to their systems and consumers and take steps necessary to address vulnerabilities and customer impact,” DFS’ letter stated, adding that this assessment should identify internal use of vulnerable Microsoft Exchange products and any use of these products by third parties. “Regulated entities should also continue to track developments in this compromise and respond quickly to new information.”

New York’s cyber regulation requires that regulated entities report cybersecurity events within 72 hours at the latest.


Topics New York

Was this article valuable?

Here are more articles you may enjoy.