In an extensive series of tweets throughout December, hackers leaked sensitive data from hundreds of German politicians, including members of the European parliament, German parliament, and regional state parliaments. The move reflects an insidious strategy criminals and hacktivists sometimes use to expose and endanger targets by leaking deeply person details about them and their families.
The leaks also impacted Chancellor Angela Merkel to a degree, as well as some journalists and performers. Though hackers posted the stolen information to a Twitter account over many days as a sort of digital advent calendar, the tweets gained attention on Thursday, and Germany’s Federal Office for Information Security scrambled to react on Friday as Twitter removed the account.
“There is no doubt that personal data leaks can be dangerous. It’s difficult to offer protection to the victims.”
Lukasz Olejnik, Oxford University
The trove of leaked documents is massive, but early assessments indicate that it seems focused less on exposing state secrets than it does on revealing deeply personal information about its targets. The exposed data includes internal political communications, like emails and scans of faxes, along with credit card information, home addresses, phone numbers, personal identification card details, private chat logs, and even voicemails from relatives and children.
“There is no doubt that personal data leaks can be dangerous. It’s difficult to offer protection to the victims,” says Lukasz Olejnik, an independent cybersecurity adviser and research associate at the Center for Technology and Global Affairs at Oxford University. “So far I don’t see one particular target—it looks like it comes from many sources and platforms. It makes you wonder why the leaked data concerns a very broad political spectrum.”
Indeed, the trove seems to contain revelations about politicians from all of Germany’s major political parties except the far-right group Alternative for Germany.
Compounding the problem, the hackers also seem to have gone to great lengths to create not just landing pages with login credentials to host the materials, but also redundancies and mirror sites, making it difficult to scrub the data from the web. They set up dozens of duplicates of the leaked data, and hosted it on many different servers, making it harder for German officials and tech companies to potentially find all of the versions and remove them—especially since the content was live for weeks, and may have been downloaded and even reposted by a number of third parties.
The motives for the leak remain unclear, but this isn’t the first time hackers have used invasively personal information as an intimidation tactic or to sow unrest. In the wake of the 2014 Sony Pictures breach, for example, hackers leaked corporate secrets from multiple Twitter accounts; Sony Pictures threatened to sue the social network if it didn’t keep up with banning the accounts. Even more similar to the recent incident in Germany was a massive leak on Twitter in 2016 of personal information from Chinese business executives and political affiliates, including birth dates, personal addresses, and national identification numbers.
The approach is particularly damaging because it puts victims and their associates at risk of personal attacks.
“Going after multiple political individuals and releasing data like family chats would lead you to believe that this was politically motivated and meant to cause chaos,” says David Kennedy, CEO of the incident response consultancy TrustedSec, who formerly worked at the NSA and with the Marine Corps’ signal intelligence unit. “I would surmise based on the type of data that the motives are primarily political and meant to scare and damage individuals.”
While official details are still unavailable, the data appears to have been collected from multiple web platforms where targets had accounts and reused exposed passwords. “I doubt that it was all from one source,” says German security researcher Matthias Merkel. “There shouldn’t be any one source that has all that information—especially considering that the leak includes chat transcripts.”
Matching online accounts to exposed passwords and collecting data on so many people would be time consuming, versus compromising a single existing database, but it’s nonetheless a fairly common criminal tactic. And portions of the process can be automated. The German government has also suffered some systemic data breaches in recent years (which are not necessarily related to the Twitter leak), including an intrusion on its parliamentary network in 2015 and an attack on its central network in February.
The attackers don’t seem to have made any demands or statements of intent, making it difficult to know what the leak was driving at. “There aren’t too many reasons for compiling a dataset like that. Selling would be an option, but since the data was dumped that’s unlikely,” says Merkel. “And there are just some state elections coming up in Germany, nothing federal.”
But the incident fits into a broader trend of crafting detailed and deeply personal leaks that have long-lasting repercussions for their victims. “It’s interesting that this has happened now, when there’s still a lot of time before the next German elections,” Olejnik says. “This is why it’s premature to speculate that it’s related to targeting the election process. However, perhaps someone has collected additional material to potentially leak in the future.”