A 20-year-old man recently admitted to German police that he was behind one of the country’s most significant data breaches, where the personal details of nearly one thousand public figures were leaked. Authorities apprehended the accused after his house was raided on Sunday, January 6, 2019. According to authorities, the suspect is a student who lives with his parents in the central German state of Hesse.

He told investigators that he acted alone, was not politically motivated, and had been driven instead by his annoyance at statements made by the victims of his attacks, including politicians, journalists and celebrities.

The arrest came just days after one of the largest “dumps” of hacked data in Germany became public. Prior to media reporting on the hack, authorities had neglected to react to the trickle of data which had been released over the course of weeks before the arrest. The personal information collected included email addresses, telephone numbers and chat transcripts. The suspect, colloquially known on the web by the nicknames “g0d” and “0rbit” released the hacked data via Twitter.

Interior minister, Horst Seehofer, was quick to rebuttal widespread accusations that German authorities had been unwilling to keep the public informed. Seehofer revealed that the hacker could never have been as successful as he was had his victims created more sophisticated passwords. “Bad passwords were one of the reasons he had it so easy,” Seehofer admitted. “I was shocked at how simple most passwords were including “ILoveYou,” “1,2,3”. Enforcing the usage of stronger passwords is essential in protecting your organization.

The Interior minister noted that both politicians and the public need to increase their sensitivity and awareness towards cybersecurity significantly. He advised that the public should be aware that such attacks are likely to become much more commonplace in the coming years.

Furthermore, Seehofer announced the recruitment of hundreds of cybersecurity experts to the police force, as well as the development of an around-the-clock IT crew who would use “early warning system” software to aid in the recognition and, ideally, prevention of future attacks.

Investigators in Wiesbaden and the Federal Criminal Police Office (BKA) believe the man was not entirely aware of the severity of his actions. Despite initial reports that China or Russia may have had some involvement in the incident, the BKA confidently advise there was absolutely no evidence that a foreign government had been behind the attack to any extent. Rather, the perpetrator’s profile was only typical of that of a growing generation of adolescents or “kinderzimmertater” (play room criminals) who don’t have to step out of their home to carry out their deeds.

What does this mean for your organization?

Unsurprisingly, most attackers will seek out the path of least resistance. In recent years, the focus appears to be shifting from servers to individuals. Individuals, after all, cannot be patched, and this is why there has been a distinct uptick in phishing campaigns and other forms of social engineering aimed at individuals of organizations.

Cybersecurity Definitions:

Phishing is the fraudulent practice of sending emails declaring to be from a reputable source in order to induce individuals to reveal personal information, such as passwords, usernames and credit card information.

Social Engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Phishing is a type of social engineering.

Employees are still clicking where they shouldn’t, using predictable passwords, recycling passwords and uploading sensitive data where they shouldn’t.

Security Awareness Training

It is more important than ever that information security professionals are looking very closely at what is, and what is not working for their organizations: Is your organization doing enough awareness training? Is it doing the right kind of awareness training? Are they bringing in the right third-party vendor to perform penetration testing to prevent an attack?

For more information on Choosing a Penetration Testing Company, security awareness or to learn more about the services that would best suit your organization, please review our website and contact us for in-depth information on how to prepare your organization.