Enlarge image
Read »Further information« at Netzpolitik.org: The Bundestag's IT department refers to self-information with a view to the data leak
Photo: Christian Spicker / imago images / Christian Spicker
IT experts from the Bundestag have informed members of parliament that their data appears in a large Facebook data set that was recently published in a hacker forum.
"The Bundestag administration has the information that the private telephone numbers of around 50 MPs have been published on the Internet," says an email sent to MPs.
The message available to SPIEGEL was dated April 12 and refers to an article on the specialist portal Netzpolitik.org for “further information” on the data leak, which first reported that politicians were affected by the data leak.
The warning to the MPs was therefore only sent eight days after the Facebook leak became known.
In the leak, private data from a total of more than half a billion users, including private telephone numbers, name, Facebook ID, place of residence and, in some cases, private e-mail addresses, leaked.
The warning from the Bundestag administration thus appears to be merely a reaction to the media report by Netzpolitik and not based on the German security authorities' own examination of the data leak.
Such an examination by the Federal Office for Information Security (BSI) is currently in progress, however, according to the email to the MPs.
New reliable information is not yet available.
BKA employees, soldiers and victims affected by threats
According to SPIEGEL research, the leak contains data from at least 54 members of the Bundestag.
Other people who work for members of the Bundestag are also in the data leak.
Almost 15,000 people who state that they work for the Bundeswehr on their Facebook profile can also be found in the data set.
In addition, numerous employees of German security authorities such as the Federal Criminal Police Office and various state criminal police offices are also affected by the publication of personal data.
SPIEGEL checked and verified some of the data on a random basis.
In a total of around 2000 cases, the personal data record contains the reference "police officer" or "police officer".
The data also includes the personal phone numbers of people who have received threatening messages in the past through groups such as the so-called NSU 2.0 or other right-wing extremist groups.
At least some of these people have not been made aware by security authorities that their data has ended up on the network.
“This is the first time I've heard of this,” says one of the victims, for example.
Opposition criticizes the slow reaction of the authorities
The leak is circulating in hacker forums, from which cybercriminals often obtain data in order to attack their victims or to better camouflage their attacks.
State-commissioned hackers could also use the data to make their attacks on politicians more successful.
For example, the hacker group "ghostwriters", behind which security authorities suspect the Russian secret service, used the personal e-mail addresses of MPs in their recent attacks, as they are in this leak.
Konstantin von Notz, network politician of the Greens, criticizes the fact that the MPs affected by the leak were not informed faster by the German authorities.
“Obviously, such data is of great interest not only to criminals, but also to intelligence services.
Against this background, the previous lethargy of the federal government and security authorities is extremely surprising, «said von Notz.
Left MP Martina Renner demands that the leak must have "tangible consequences" for Facebook.
"Facebook's information policy is a catastrophe," says Renner, whose data is also in the dataset.
Renner warns that the leaked data could also be misused for threatening messages by right-wing extremist groups.
The publication of the data gives potential perpetrators the opportunity to harass those affected by phone calls or even to spy on their whereabouts, according to Renner.
"The irresponsible handling of such data leaks by Facebook or other companies makes them ultimately accomplices of the perpetrators."
Doxing, SIM swapping, phishing: possible attacks for criminals
In the past, trolls and right-wing extremist network groups have repeatedly used leaked personal data for threats and attacks on their victims.
When harassed by so-called doxing - as in the case of comedy writer Jasmina Kuhnke, for example - attackers collect such data in a targeted manner.
The BSI sees in the leak, among other things, the danger that "people who have already been victims of stalking will be harassed again when their telephone number becomes known." Another risk is so-called SMS phishing attacks, which are optimized with personal salutations .
Investigative authorities have already seen an unusual increase in such attacks since the leak became known.
So-called sim swapping attacks could also be facilitated by the leak.
In such attacks, attackers specifically try to take over the victim's cell phone number in order to steal money from them, for example.
According to the authority, “A warning from Facebook to all customers” is necessary from the point of view of the BSI.
The CDU MP Ingo Gädechens, whose data is also in the leak, describes the approach of the social media platform in the current case as unacceptable.
He has now been informed of the incident by the Bundestag administration, but not by Facebook.
"I cannot understand why Facebook does not directly inform the users concerned."
Facebook itself has announced that it will not notify users of the incident.
On Wednesday, however, the data protection authority in Ireland responsible for Facebook in Europe opened a case against Facebook because of the incident.
In a letter from Facebook to the BSI, Germany's highest IT security authority, Facebook tries to explain the incident on the grounds that it is not a hack, but so-called »scraping«.
With scraping, data is tapped on a large scale with the help of automated processes.
According to the Facebook letter, which is based on a blog post by the company, the leak was caused by the "collection of data that is publicly available".
Finding out if this is actually the case will be part of the Irish Data Protection Agency's investigation.
