Cyber attack
and GDPR
liability.
Cyber attack
and GDPR
liability.
of
Zero-day exploits are considered almost impossible to defend against. Does a company still have to accept liability for stolen customer data? Is the use of certified, commercially available software really sufficient?
Cyber attack with insurance
An insurance company looked after Riester customers. An IT service provider managed the customer data as a processor. In May 2023, hackers gained access to the systems via a zero-day exploit. They obtained the name, address, date of birth, tax ID and social security numbers of a customer. The customer demanded compensation.
What is a zero-day exploit?
A zero-day exploit is an attack that takes advantage of a security vulnerability that is not yet known to the affected software manufacturer at the time of the attack. The term “zero-day” refers to the fact that the manufacturer had zero days to react to the vulnerability – a patch simply does not yet exist. Attackers who discover such a gap have a decisive time advantage over the provider.
In this case, criminals used precisely this constellation: they used the previously unknown vulnerability to gain access to the provider’s software and installed a web shell that gave them permanent remote access. A security update could have closed the gap, but it was not yet available at the time of the attack.
Decision of the regional court on liability
The Krefeld Regional Court dismissed the action with Judgment of 06.11.2025 – Ref. 3 O 93/24 was rejected. The court found no culpable infringement of data protection obligations, in particular the security and organizational obligations as well as the responsibility obligations.
The use of a software solution that was considered state of the art, certified and used by market leaders at the time of the attack fulfills these requirements. A company that relies on proven and widely used systems is not particularly culpable.
The defendants are only obliged to take appropriate measures aimed at preventing a data breach as far as possible. This is not synonymous with all measures that exhaust the state of the art.
The judges also rejected the argument that previous security reports on this software had indicated a particular liability risk. Such reports alone are not sufficient to attribute negligence to the company or force it to look for alternatives.
Practical relevance and evaluation
This ruling is relevant for any company that uses external service providers or standard software. Anyone using payment transaction systems, data management solutions or customer databases does not have to examine every conceivable alternative. It is sufficient to choose solutions that correspond to the state of the art.
At the same time, the ruling does not constitute a carte blanche. The court emphasized that companies must not neglect their security obligations. They must maintain backups, implement access controls, apply patches promptly and train employees. The level of security must correspond to the respective protection requirements.
Conclusion
The Krefeld Regional Court provides companies with an important point of reference. Data protection liability is not an absolute. The requirements of the GDPR are met by a conscious, professional selection of proven solutions, regular security updates and appropriate technical and organizational measures.
Those who act in this way are not in breach of data protection regulations, even if criminals exploit unknown vulnerabilities. The GDPR does not demand perfection, but responsible risk management.
We are happy to
advise you about
Data protection law!
