With an online campaign, the CDU wants to create a mood against the government’s heating plans. But the party did not expect a security gap – and not with hackers.
The CDU admits a data protection violation as part of its “Fair heating” campaign. Accordingly, she informed those affected by email. The Berlin data protection authority was also informed of the incident by the party. According to its own account, the hacker collective Anonymous had registered a five-digit number of email addresses for the campaign – and was able to see who was already taking part.
The data protection violation granted by the CDU is about the security gap that Anonymous used and uncovered. According to the party, the gap has now been closed and no data records have been stolen.
However, the actual goal of the campaign is also controversial. A CDU spokeswoman had already stressed a few days ago when asked by t-online that it was just a matter of “showing that a large number of people across the country are raising their voices against the traffic light coalition’s heating plans”. However, the data protection declarations and the cooperation with a new agency as well as the use of trackers had provided indications that the CDU aimed to create personalized profiles of users. The declaration of consent, for which the data is used, was changed several times after the start of the campaign.
Old data leaks used with addresses
The hacker collective Anonymous doubted that it was primarily about content. “The CDU rumbles with absurd bills against the exchange of fossil heating systems for heat pumps and, with emotionalizing pictures of sad-looking old white men with existential fears, is looking for contact details in order to then pass them on to their state associations,” says a blog post. The collective sees this as part of an attempt to alienate voters with the populist appearance of the AfD.
In the blog post, the hackers also explain that they wanted to measure the success of these campaign efforts: Is this how the CDU reaches the edge? With a short program code, it was therefore possible to enter e-mail addresses of supposed supporters on the campaign page in bulk and even to receive feedback as to whether the respective address was registered.
Anonymous used leaked data sets from the AfD and the party “Die Basis”, which became known for their resistance to the corona measures. According to Anonymous, the people behind the data sets are people who can be “cautiously and friendly described as a mixture of right-wing conservative, ignoring climate change, open to fossils and politically very motivated and activatable”. They are “the ideal target group for such a campaign”, as the CDU is now undertaking.
None of the 15,000 addresses below
More than 2,000 email addresses came from a list of participants at a 2016 AfD party convention in Stuttgart, which was published on the Indymedia site in the same year. In addition, there were the e-mail addresses of more than 12,000 members of “Die Basis”. According to the analysis by Anonymous, none of these almost 15,000 people joined the CDU campaign. This is evidence that the CDU campaign is unsuitable for allegedly winning back voters from the fringes.
Apparently, an email was sent to all addresses asking them to confirm their personal information. In order to make the violation of the data protection law even more visible, Anonymous apparently also sent such confirmation emails in bulk to the address of the Berlin data protection authority and to journalists. During parallel research on the subject, the author of this article received 907 emails from the CDU twice, without initially having an explanation.
In their communication, the data protection officer of the CDU now writes that the party had to involve specialist IT companies to implement the campaign, and that there was a gap in the system of a service provider. The party is working on the campaign with the agency CamBuildr, which is considered a key factor in Sebastian Kurz’s first election victory in Austria and has already worked for the Saxon CDU.
CDU advises caution after the incident
The CDU now recommends that all those affected change passwords in connection with the e-mail address used as a precaution – even if it is not at all clear how hackers are supposed to have obtained passwords. The party also warns that phishing e-mails could now be sent to addresses that were used for registration, as an attempt to obtain further personal information using counterfeit CDU websites, for example.
In its message, the CDU also emphasized that it was only possible to query email addresses that had already been registered in the campaign, but not to access the database as a whole. However, the information as to whether an e-mail address was used for the campaign is considered particularly worthy of protection. Therefore, the error in the interface was classified as a security gap and reported to the Berlin data protection officer. There has been a test procedure for a security gap in the campaign app “CDU Connect” for two years.
