Germany’s cyber security authority criticised for failing to disclose data breach

Germany’s BSI (Federal Office for Information Security) has come under fire for its alleged mishandling of a security incident in which the personal details of almost a thousand public figures, including Chancellor Angela Merkel, were stolen and published online. 

The authority reportedly discovered the leak in December 2018, but didn’t notify the Federal Crime Office until Friday, 4 January 2019. 

Dietmar Bartsch, parliamentary head of the opposition Die Linke party, said the failure to report the breach was “completely unacceptable” and questioned whether the office has “something to hide”. 

Meanwhile, party colleague André Han said: “It makes me unbelievably cross that yet again I’ve found out about such things from the media – even though I’m a member of the parliamentary monitoring group […] the federal government’s duty to keep parliament informed still applies between Christmas and the new year.” 

Who was targeted? 

Those who had their details leaked include: 

  • Chancellor Angela Merkel, whose email address was leaked along with several letters she had sent and received.
  • Members of each of Germany’s major parliamentary parties, including the ruling centre-right and centre-left parties, as well as The Greens, Die Linke and FDP. Far-right AfD was the only party whose members were unaffected. 
  • Journalists from public broadcasters ARD and ZDF, as well as TV satirists Jan Böhmermann and Christian Ehring. 
  • Rapper Marteria and rap group K.I.Z. 


BSI president Arne Schoenbohm responded to the criticism by saying that his team “had already held corresponding talks very early in December with certain members of parliament who were affected” and launched a “mobile incident response team”. 

However, at the time of that meeting, the BSI wasn’t fully aware of the extent of the breach. It was only when a Twitter user, later revealed to be the person behind the attack, published portions of the stolen data, that the authority conducted further analysis. 

This analysis ultimately led to the perpetrator’s apprehension. He was revealed to be a 20-year-old Hesse resident, who told investigators that he had been motivated by his annoyance at statements made by victims of his attacks. 

Weak passwords 

Interior Minister Horst Seehofer was among those who rebuked criticism of the government’s handling of the incident, but he was equally frustrated with the victims. 

He claimed the hacker wouldn’t have been able to gather as much data if the victims had created more sophisticated passwords. 

“Bad passwords were one of the reasons he had it so easy,” Seehofer said. “I was shocked at how simple most passwords were: ‘ILoveYou’, ‘1,2,3’. A whole array of really simple things.” 

Poor passwords are without a doubt the biggest vulnerability in any organisation, and, as Seehofer indicates, it’s one of the simplest to fix. 

This incident should cause those affected to rethink their security practices and may well lead to strengthened government policies on password creation. 

Seehofer has already announced that Germany’s police force will be recruiting hundreds of additional cyber security experts and setting up a round-the-clock IT crew, which would use early warning system software to identify and respond to attacks. 

Sign up for the Daily Sentinel to receive the latest cyber security news and advice.