Out-Law / Your Daily Need-To-Know

Businesses urged to shield against risk of social engineering

Out-Law News | 08 Jan 2019 | 10:19 am | 2 min. read

Businesses should train staff how to detect and avoid falling victim to social engineering to help keep their data secure, an expert has said.

Munich-based data protection law specialist Kai Paterna of Pinsent Masons, the law firm behind Out-Law.com, said news of the recent hack of German politicians' personal data was a reminder of the need to take steps to proactively address cyber risk.

Hundreds of German politicians, including chancellor Angela Merkel, were affected by the hack which also affected some celebrities and journalists. It is not yet clear where the information was sourced from or who was responsible, but the data was published in stages from an account on Twitter in the past month.

According to regional public broadcaster Rundfunk Berlin Brandenburg, which first reported the incident, the published information included phone numbers, private addresses, letters, invoices and credit card data. Private messages and photos were also made public, it said.

Hamburg's data protection authority has said that it had tried to contact Twitter in an effort to stop the spread of the leaked data. On Friday the watchdog announced that it had been liaising with Ireland's Data Protection Commission to help it with this as it had been unable to reach anyone in Twitter's Hamburg office, and at that stage had not received any response from the company itself. Twitter's European headquarters is in Dublin.

The account from which the data was published has now been deleted.

The Hamburg authority said: "The point now is to use a direct link to Twitter in Ireland to legally request the blocking of links pointing to other platforms where the actual data is located. Because on the original platforms, they are still freely accessible on the net. [We have] sent Twitter a corresponding list of short links to be deleted."

Besides politicians from the state parliaments in Berlin and Brandenburg, all parties currently represented in the German Bundestag are affected by the hack, with the exception of the right-leaning AfD (Alternative for Germany) party.

Although the data had been publicly posted since the beginning of December last year, in the form of an Advent calendar, the public did not become aware until a well-known video blogger pointed out in the last week of December 2018 that he had been hacked.

On Friday, the German National Cyber Defence Center met to coordinate the measures of the federal authorities – the German Federal Office for the Protection of the Constitution, the German Federal Criminal Police Office, and the German Federal Intelligence Service.

Kai Paterna of Pinsent Masons said that it had been reported that the hackers may have exploited security flaws in email software, and that some IT experts believe the hackers may have used social engineering to access the data.

"The incident shows that humans are often the weakest link in any security chain," Paterna said. "Companies are well advised to constantly remind their employees how social engineering attacks work."

"It has been suggested that the hackers' main aim was to attract attention by attacking politicians and public figures. In the case of companies, the economic damage caused by hacking is usually a lot more substantial, including if a ransom is levied to regain access to business critical data," he said.