In the first week of the new year, German politics, media and entertainment circles have been shook up by an extensive personal data leak. Links to download personal data of German politicians, journalists and entertainers were spread through a Twitter account. Data included personal emails, financial information, personal pictures and the like. Because of the size of the leak the exact contents and ramifications are still unknown and new, sometimes compromising, data is still being discovered. (Blond 2019, BBC (b) 2019, Niehe 2019, Steer 2019)
Early on in the data leak German authorities expressed the suspicion that Russian authorities were behind the hack in an attempt to destabilize the German democracy. On the back of already existing tensions between Europe and Russia these accusations will only throw oil on the fire, especially when taking into account the fact that the Russians have denied any wrongdoing. On the tail end of these accusations a suspect, a 20-year-old German man, has been arrested on the suspicion of being the lone perpetrator behind the hack and leak. He has confessed to using common passwords and letter combinations to gain access to social media and email accounts with great rates of success. The young man supposedly stated that he was amazed at the obvious passwords being used, for example ILoveYou. (Connolly 2019, BBC (a) 2019, BBC (b) 2019, Chase 2019, Davies 2019)
If the confessions of the young man turn out to be true, they will contradict the suspicions of Russia being behind the hacks, making these accusations and diplomatic ramifications awkward to deal with for German authorities. These types of hacking and data leaks have shown to be able to have severe consequences on interstate relations. When states accuse each other of hackings and data leaks the diplomatic consequences can be severe, in particular when such accusations turn out to be incorrect. (Chase 2019, Whittaker 2019)
This data leak has once again underlined the old adagio of the human being and his behavior often being the weakest link in IT-security. German security services will undoubtedly spend a lot of money and effort on protecting politically sensitive information in the digital realm, which can only be put to use if individual users like in this case politicians, have the right habits when navigating and using online platforms. Despite the fact that most, if not all, of the accounts that were hacked are personal, the consequences are felt on a state level because of the type of victims and the statements made by the authorities. (Connolly 2019)
So, when we look at privacy and security of data, technical security is important however it has to be combined with solid awareness among users on how to safely use online platforms and other applications that store personal data. In practice this means a number of things, chief among which is the notion that real awareness is only created through repeated efforts. It is essential that any organization develops a strategy and planning which is needed to put the notion of repeated training into practice. Without wanting to control politicians in their personal lives, effort should be made by security services to provide the necessary tools and knowledge so that they can manage their passwords more securely. Serious (time and training) investments in guidance and policies are needed for politicians and government employees. Awareness and knowledge are key and training the target group of politicians and government employees on the fact that ILoveYou is not an appropriate or secure password is the first step in creating a more secure data environment for any government. (Connolly 2019)
Tools like trainings and online resources are available to do this in a thorough and consistent way, allowing any government or other type of organization to improve their security awareness. Governments aren’t alone in the fact that data leaks can negatively influence their objectives, so other organizations should take note of this German data leak and include all people in the organization in their efforts to protect their data by creating awareness about data security issues among all employees.
Investments in security awareness should not only be seen as a preventative measure but also as an investment in keeping up the good name of an organization and as a facilitator of trust between an organization and its public or customers.
Author: Djamel Becherif, MSc.
BBC (a). 2019. German cyber officials defend handling of mass data attack. 5 January. https://www.bbc.com/news/world-europe-46768990?intlink_from_url=https://www.bbc.com/news/topics/cwz4lvzgq9gt/data-protection&link_location=live-reporting-story.
BBC (b). 2019. German data theft: Suspect confesses in Hesse. 8 January. https://www.bbc.com/news/world-europe-46793116.
Blond, Josie Le. 2019. German politicians’ personal data leaked online. 4 January. https://www.theguardian.com/world/2019/jan/04/german-politicians-personal-data-hacked-and-posted-online.
Chase, Jefferson. 2019. German hacker behind massive political data leak identified. 8 January. https://www.dw.com/en/german-hacker-behind-massive-political-data-leak-identified/a-46991625.
Connolly, Kate. 2019. German cyber-attack: man admits massive data breach, say police. 8 January. https://www.theguardian.com/world/2019/jan/08/germany-data-breach-man-held-in-suspected-hacking-case.
—. 2019. German data breach: agencies ”failing to take security seriously”. 7 January. https://www.theguardian.com/world/2019/jan/07/germany-data-breach-teenager-being-questioned-by-police.
Davies, Tom. 2019. Man arrested over major data breach in Germany. 8 January. https://gdpr.report/news/2019/01/08/man-arrested-over-major-data-breach-in-germany/.
Niehe, Thomas. 2019. Student aangehouden voor hack Duitse politici. 8 January. https://www.agconnect.nl/artikel/student-aangehouden-voor-hack-duitse-politici?tid=TIDP136249XB2CDAB8DD53F42B79CC016901D520BDEYI5&utm_campaign=AGC_nieuwsbrief%20dagelijks&utm_medium=Email&utm_source=SMG&utm_content=Di%208%20jan.
Steer, George. 2019. Man Arrested In Connection With German Data Breach. 8 January. http://time.com/5496579/arrest-german-data-leak/.
Whittaker, Zack. 2019. Hacker leaks data on Angela Merkel and hundreds of German lawmakers. 2 Jauary. https://techcrunch.com/2019/01/04/germany-data-breach-lawmakers-leak/.