What corporations need to learn from the cyber-attack on politicians and celebrities

Tips & Best Practice | 23. JAN 2019

Lessons for companies from the political hack

Since the 2018/19 cyber-attack on public figures, IT security is once again a hot topic in Germany. A 20-year-old man posted the personal contact details of a number of politicians and anti-right wing public figures online. He also published detailed information on some of these well-known names, such as their private documents, agreements and chat history.

Since then it has become known that many of those affected had poor security safeguards. Weak passwords are only part of the problem; in general, there seems to be an issue surrounding negligent handling of confidential data. Whoever shares documents in the political sphere via DropBox or GoogleDocs, without having first encrypted the data themselves, reveals a shocking lack of competence in IT security. It is not just that the servers are located in countries which are known to be exposed to access by foreign intelligence services; it is also the case that when links to data in the cloud are shared via chats and supposedly secure forums or sent unencrypted by email, access is anything but a challenge, even for inexpert hackers.

What can we learn from the hacking attack?

We discovered that the unwarranted publication of third-party documents and data by hackers is called ‘doxing’, from the abbreviation ‘docs’. We also found out that the damage caused by cyber-attacks is not always immediately obvious. Data exposed today can do damage tomorrow or even years later. The Internet never lets anything be forgotten.

The motivations for cyber-attacks can be very different. It is not just competitors or intelligence services which phish and share data for their own economic gain. Any bored geek can cause damage, especially when we make it easy for them.

Politics reacted to the incident with the announcement of a new IT security law. But in reality, this does little to help the individuals and businesses affected. We’re also still a long way off politically desirable secure applications like Security by Design. Each of us now has to take matters into our own hands and become proactive.

What businesses now need to know

Technically speaking, attacks on emails pose no real challenge because email content is transmitted unencrypted through the Internet and passes through multiple server nodes which can be ‘eavesdropped’. Targeted attacks on emails via Wi-Fi and mobile networks are also commonplace.

Intercepted business communication not only endangers trade secrets, it can also serve as a basis for phishing, can bring companies and employees into delicate situations and lead to blackmail attempts.

If hacking attacks have made clear that personal data has not been sufficiently protected, huge damage to reputations is not the sole consequence. Violation of the EU’s General Data Protection Regulation (GDPR) can also be very expensive. It is important to remember that according to the Trade Secrets Act, trade secrets have to be adequately protected in order to even be classed as secrets in criminal proceedings before the court or in claims notifications to insurance companies.