BERLIN (Reuters) - German officials are racing to bolster cyber security after a far-reaching data breach by a 20-year-old student laid bare the vulnerability of Europe’s largest economy ahead of a critical European Parliament election in May.
Officials say they are anxious to close security gaps and raise awareness ahead of the upcoming election, where voters from across the European Union will choose lawmakers for the parliament, amid concerns that foreign powers or right-wing forces could seek to manipulate the election.
“We have to think about preventive measures,” Interior Minister Horst Seehofer told Reuters.
German authorities have said an unnamed student who lived with his parents had confessed to one of Germany’s biggest data breaches, that involved leaking personal data and documents of about 1,000 people, including Chancellor Merkel and other politicians and high-profile individuals.
“If it was so easy to break into accounts that a 20-year-old could do it in the bedroom of his parents’ home, others can do it too,” Holger Muench, head of Germany’s BKA federal criminal police, said.
“Professional hackers have even more methods to steal passwords, and way more resources.”
The interior minister on Tuesday outlined several measures designed to improve security, including plans to hire hundreds of additional cyber experts for the federal police force and the BSI federal cyber security agency and set up an early-warning system by establishing a unit to use technology to monitor and prevent such attacks.
And, the government would in the first half of this year update an existing security law with more protections for industry and citizens, he said.
Seehofer also said the government would boost training for politicians and the general public about using secure passwords, adding many people continue to use ones that are easy to guess.
The BSI and the federal criminal police met with lawmakers on Wednesday to discuss the case and underscore better security procedures.
German politicians have criticised the security agencies for not acting sooner to tackle the breach. The BSI has said it was contacted by a lawmaker in early December about suspicious activity on their private email and social media accounts, and was aware of four other cases during 2018, but failed to connect them until the full extent of the breach became apparent last week.
“At the time, we looked at them and they looked like isolated cases,” BSI chief Arne Schoenbohm told reporters. The BSI is responsible for the operational protection of government networks; much of the data affected in the latest breach came from personal accounts.
The suspect was also known to authorities for previous attempts to steal private data in 2017, though had no prior conviction. Bild newspaper cited investigative sources late on Wednesday as saying that the suspect had purchased some of the passwords and data he posted on the dark web, or darknet, a part of the Internet that lies beyond the reach of search engines.
Asked why authorities had not put him under surveillance after that incident, BKA chief Muench said: “It’s a common crime - like robbery. And you can’t put everyone under surveillance, especially if they’re at such a young age.”
Germany has faced repeated attacks on government networks in recent years. A 2015 hack of the Bundestag lower house of parliament that security officials say was carried out by a Russian hacking group called APT28 resulted in the loss of over 10 gigabytes of data, including emails, officials said at the time.
Last year, an attack on the Foreign Ministry although few details have been released on the impact of the hack.
Most of those affected by the latest data breach saw their private mobile numbers and home addresses published, and dozens of individuals saw photographs, private chats and other personal details published.
Experts say the reliance of many German lawmakers on private, less-secure mobile phones and lack of awareness about complex passwords continue to invite attacks. Germany’s decentralised political system and the ties of politicians to small, local districts where security can be more lax also make it harder to guard against attacks, security experts said.
In addition, responsibilities for cyber security are widely divided among federal ministries and agencies in Germany’s 16 federal states that can slow detection and sharing of data.
Germany is not alone among large Western countries to have suffered high-profile attacks on politicians.
France saw the leak of large quantity of hacked data from Emmanuel Macron’s presidential campaign on the eve of his election in 2017.
In the United States, hackers accessed Democratic computer networks and stole large amounts of data ahead of the 2016 presidential elections and a campaign group supporting Republican candidates running for the U.S. House of Representatives said it was hacked before last year’s congressional elections.
Reporting by Andrea Shalal; Additional reporting by Paul Carrel; Editing by Giles Elgood and Hugh Lawson