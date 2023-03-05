The BSI is currently warning of a possible data protection violation when using VirusTotal. In addition to the data protection risk, other sensitive information belonging to your own organization or from external parties is also at risk of being disclosed to third parties.

What is VirusTotal?

VirusTotal is a service provided by Google and under reachable. For example, you can use the service to check suspicious web addresses (URL) before you call them up in the browser on your own system. A recommendation that we make more often, for example, as part of our training courses and webinars.

In addition to this URL check, VirusTotal also offers to upload files for online checking by a large number of well-known virus scanners. And there lies the rub. In addition to being used directly in the browser, VirusTotal also offers business services that do not require a manual upload, but instead the check is carried out automatically in the background.

“This service is often used by private individuals and companies to check suspicious files in order to obtain more reliable results than with just one scanner due to the large number of antivirus programs.”, according to the Federal Office for Information Security.

What is the problem or data breach when using VirusTotal?

If files with personal data are uploaded or checked, there is usually an order processing according to Art. 28 DSGVO. This must be regulated and agreed correctly, including the TOM test, BEFORE using the service. In addition, according to the BSI, data is passed on to numerous AV/scan providers based outside the EU. Against the background of the current discussion about third-country transfers, this is not entirely unproblematic.

And by the way: Even if files without personal data are uploaded, there is a not inconsiderable risk. Namely when it concerns confidential or sensitive information of the organization (or a customer /​ citizen /​ client). This file is happily shared with all connected providers. Do you want that for business or organizational secrets? Rather not.

What can help?

Make employees aware of this fundamental security problem when using the service or raise awareness of it (no, paper alone is not enough!) Make arrangements as to whether and, if so, which files may be subjected to a check by the service (e.g. if the confidentiality status is “public”) Or, as the BSI advises, only work with the hash values ​​of the files (tricky, but doable)

The questions to security officers on page 3 of the BSI’s statement on the subject offer further support here.