A 20-year-old German man was arrested this week in connection with the largest data breach in German history.
The unnamed hacker, who goes by the now-suspended Twitter handle @_0rbit, confessed to orchestrating the attack which targeted approximately 1,000 German political leaders, celebrities, and journalists.
The attack exposed a sizeable cache of the victims’ personal information, including private messages, personal photographs, credit card data, phone numbers, and private addresses.
Though the hacker’s political affiliation is not apparent at this time, nearly all German political parties were affected, including Chancellor Angela Merkel and her Christian Democratic Union. The only political party that appeared to be spared was the far-right Alternative for Germany (AfD) party. At present, it's unknown whether this was intentional.
According to the suspect’s confession, his only motive was his displeasure at statements made by the public figures he targeted in the data breach.
The hacker leaked the data on his Twitter feed on a daily basis throughout December, in the style of an advent calendar. The Twitter account had over 18,000 followers before being suspended last week. According to the hacker’s confession, he acted alone and had gathered the information over an extended period of time before exposing the data on Twitter.
One rather alarming detail about the operation was that the hacker lacked formal IT training. Instead, he taught himself the hacking methods he used in the attack using resources he found online. The fact that such a sophisticated attack on high-profile targets could be performed by a single, self-taught individual will likely alarm cyber-security professionals.
Although the hacker no longer has access to the accounts, and the security vulnerabilities that he was able to exploit have since been patched, the damage has already been done. Now questions regarding the German information security agency’s handling of the data breach will need answering. How did the breach continue on a daily basis for an entire month unimpeded? Why did authorities dismiss the breach as an isolated incident when they first learned of the attacks in December? When exactly did German intelligence agencies realize the actual scale of the attack and why didn’t they immediately address the situation publicly, to reassure German citizens’ concerned about the security of their private data?
The breach had such an impact that it prompted several political leaders to take action. Robert Habeck, head of The Greens, deleted both his Twitter and Facebook accounts after being directly affected by the attack. German Interior Minister Horst Seehofer proclaimed to a group of reporters at a press conference that he would propose new data protection legislation this year in response to the breach.
Though the attack focused heavily on political targets, government officials announced that no government systems had been affected by the breach. Regardless, the largest data breach in German history serves as a sobering reminder that such an attack is alarmingly simple to orchestrate and that government officials and citizens alike need to be fully aware of the security risks and take steps to protect their online data.
One of the best ways for individuals to protect their sensitive personal data online is through the use of a virtual private network (VPN). The best VPNs on the market today will fully encrypt their users’ internet communications and can act as an essential online security tool to help protect users’ private data.