The members of the German Bundestag are still waiting to find out whether their personal data such as home addresses or driving routes have been stolen in the recently uncovered hacker attack on the Bundestag transport service. A “system scan” is still running, it said on Wednesday at the driving service provider. However, it is already becoming increasingly clear what the causes of the possible data leak are. The BwFuhrpark Service GmbH, which operates the driving service on behalf of the Bundestag, has stored such sensitive data internally on a large scale – for three months at a time, according to an email from the Bundestag administration’s IT coordinator.
The previous years had been more careful. The company that operated the driving service from 1999 to 2017, RocVin GmbH, deliberately deleted personal data every day – “always at five in the morning”, as RocVin boss Thomas Mohnke said Süddeutsche Zeitung confirmed – just so as not to hoard mountains of data from which the movement profiles of the MPs can be read. “Who can be driven to the Russian embassy? Who meets with members of other political groups in the evening? Many are interested in such data,” says Mohnke.
“The unprovoked storage of data harbors enormous security risks,” criticizes Konstantin von Notz, the vice-parliamentary group of the Greens in the Bundestag. “That’s what all data protection experts and the highest courts in Germany and Europe say. The hack here is a prime example of this. One can only hope that the unrepentant fans of data retention in the SPD and especially the CDU and CSU will perhaps improve the problem with this unpleasant example in the future understand.” This Thursday, the IT commission of the Bundestag’s Council of Elders wants to inform about the previous investigations in this case.
The protection of the parliamentarian transport service against hackers was apparently weak. The Emotet malware was used in the hacker attack. There is a “vaccination protection” against them, a defense program called Emocrash, which the Federal Office for Information Security (BSI) recently made available to “all authorities of the federal and state administration” and companies that operate so-called critical infrastructure . The Bundestag transport service did not receive this protection. The program was only “made available to a limited group of users” in order to avoid “exposing possible attackers”, says the spokesman for the BSI.
In contrast to ministries, the transport service of the Bundestag, on whose confidentiality even those MPs who are under personal protection because of threats, were not supplied – and also the current operator GmbH of the service, which is 75.1 percent of the Bundeswehr and to 24.9 percent owned the railway, did not demand this. Why, that “does not reveal itself to me”, says the digital policy spokesman for the FPD in the Bundestag, Manuel Höferlin. “The Federal Data Protection Officer should also take a closer look at that.”