Top 10 cybersecurity breaches in Germany

In continuation of our series on top data leaks worldwide, this time our focus country is Germany. From large multinationals with operations outside Germany to hospitals and renewable energy firms, the long arm of organized cybercriminals and nation-state hacker groups is seeking to expand its reach. Mavericks have leaked the personal data of leading politicians, celebs, and journalists into the public domain in an attempt to embarrass them or in the hope of gaining some political capital. Furthermore, trade secrets siphoned from R&D units of large enterprises are up for sale in the cyber underground. Ignorance of data privacy regulations is no excuse, and two of Germany's leading retailers paid the price for violating the EU's General Data Protection Regulation (GDPR) rules. Here's looking at the top data leaks and data privacy violations that have cost organizations and individuals dearly in terms of money, brand image, and reputational loss.

On September 9, 2020, cybercriminals exploited a Citrix vulnerability to launch a ransomware attack against the Düsseldorf University Hospital. The hackers' intended target was possibly Düsseldorf University. The ransom notes, interestingly, were addressed to another hospital three kilometers away. Based on the ransom notes, police contacted the hackers, who, realizing they had hit the wrong target, shared a digital key to help decrypt the data. The attackers also dropped their demand for large payments in Bitcoin crypto. However, a female patient with a life-threatening condition passed away while being transferred to another hospital in the wake of the cyber event, the first reported death linked to a cyberattack.

Towards the end of January 2022, a malicious cyberattack that made use of a previously unknown gateway compromised IT systems at Oiltanking GmbH Group and Mabanaft Group, both subsidiaries of German energy provider Marquard & Bahls group. The company blamed the attack on the Russia-linked Black Cat gang (aka ALPHV). The ransomware network had emerged in November 2021 from the remnants of other ransomware groups like BlackMatter and the more notorious Darkside. The attack reportedly led to the closure of 233 gas stations across Germany after unloading of fuel was affected at Oiltanking's petrol tank terminals.

Malicious software installed on as many as 17 computers in Germany's IVBB (Internet Access for German Government) network first came to light in December 2017. But the compromise operation, blamed on Snake (also nicknamed Turla), a Russian-backed hacker group, may have begun much earlier. Apparently, highly classified information is almost never shared via the IVBB computer network. The German interior ministry was emphatic that acute dangers associated with the attack had been averted promptly. The hackers reportedly made off with just a small amount of data, believed to be on Russia. However, among the affected computers was one belonging to a senior defense ministry official.

In the spring of 2015, the internal network of the German Federal Parliament (Deutscher Bundestag) was breached and 5,000+ computers affected in a cyberheist that lasted several days. The attackers exfiltrated at least 16 GB of data, which included Chancellor Angela Merkel's emails for the previous three years! Two of the Chancellor's email accounts were targeted, as also the emails of several members of parliament. In May 2020, German authorities named a 29-year-old hacker from Kursk, Russia, working for Unit 26165, a cybermilitary unit of Russia's GRU military intelligence agency, as the prime suspect behind the hack.

On February 24, 2022, the US satellite company Viasat, which reportedly provides services to the Ukrainian armed forces, suffered a suspected distributed denial of service (DDoS) attack. A malware that goes under the name AcidRain erased all data on Viasat systems. The result was a massive disruption of satellite links in Europe. The collateral effect on Enercon, a German wind turbine maker, was significant. The company lost control of nearly 6,000 of its turbines, which continued to operate in auto mode as on March 1, 2022! The timing of the Viasat outage, barely an hour before Russia commenced its military operations in Ukraine, suggests possible links to pro-Kremlin hackers in Ukraine.

On October 5, 2020, a fine of $37 million was slapped on clothing retailer H&M for breaching the EU's GDPR rules, the second-biggest fine GDPR has ever imposed. Reportedly, at its Nuremberg service center, the retailer had stockpiled data on several hundred employees' private lives, including details of their family, religious beliefs, and even illnesses. Company executives held mandatory meetings with employees returning from vacation or sick leave, and the proceedings were recorded. More than 50 H&M senior staff had access to much of the private data collected. The company used this "broad knowledge" of their staff's personal lives to assess their performance.

In August 2019, German investigators in the western state of Hesse confirmed they had arrested a 20-year-old hacker responsible for what's dubbed the largest data leak in German history. From December 1-28, 2018, hacked data, including cell phone numbers, addresses, internal party messages, private chats, and credit card details of hundreds of German politicians were tweeted online. Those affected by the hack included Chancellor Merkel and various other celebrities and journalists. What raised eyebrows was that figures from the far-right AfD party had been spared! The Twitter account (@_0rbit) had 17,000 followers. Initially, fingers were pointed at the German far-right and Russia, but now German authorities say the hacker was acting alone.

German electronics retailer Notebooksbilliger.de installed CCTV cameras at its warehouses and workspaces, on the face of it, to prevent thefts and track goods flow. The camera surveillance was round the clock and the footage got stored for up to two months. By January 2021, the retailer was facing a fine of $12.7 million, one of the largest fines under the EU's GDPR data protection rules. The GDPR commissioner in Lower Saxony ruled that for two years the retailer had kept its employees under all-time surveillance, with no legal basis to back such action. The commission balked at the retailer's defense plea that the video system was not intended to track employee performance.

German wind turbine giant Deutsche Windtechnik admitted it had taken its IT systems offline on April 11 and 12, 2022 after suffering what it described as a "targeted professional cyberattack." The company lost control of nearly 2,000 of its turbines for 24-48 hours, and, as on April 14, 2022, Deutsche Windtechnik was struggling to restore its IT systems. The windfarm operator acknowledged it had faced a ransomware attack, adding that it hadn't tried to reach out to any of the threat actors involved. Meanwhile, a malware tracking group claimed on April 26, 2022, that some data from the hack had surfaced on the leak site of the Black Basta ransomware gang.

The Association of German Chambers of Industry and Commerce (DIHK) represents more than three millions members in the country. In the first week of August 2022, DIHK announced it was shutting down all of its IT systems and Internet connections in the wake of a massive cyberattack. This was probably an urgent security measure to stop malware infection from spreading. Telephone communication was also switched off. The impact of the attack was felt across German states, and DIHK wasn't sure how long the systems would remain shut down. The cyber incident carried some hallmarks of a ransomware attack. There was no official confirmation, though.

Cybercrime is an undeclared war waged from behind computer screens by faceless individuals and malicious groups. The only way organizations can hope to stand up to this naked aggression is by strengthening their cyber perimeter on a continuous basis. They also need to constantly test the security of their data and systems to see how far they can go in terms of withstanding a security breach (via penetration testing of APIs, mobile, and cloud deployments, for instance).

At Cyberlands.io, our cybersecurity analysts and white hats help organizations identify vulnerabilities in their security posture, review existing security measures in-depth, and, most importantly, respond to data breaches in a timely manner. To learn more about our cybersecurity services, drop a mail to our Cyberlands team.