The Sahra Wagenknecht Alliance (BSW) apparently has a problem with the protection and security of the data of its members and supporters. After it became known in Marchthat names and other personal data of several thousand people were accessible due to a leak on the BSW website, CORRECTIV has now been made aware of another such leak – on an even larger scale.
The party’s press office said that “after the latest incident” – presumably referring to the data leak mentioned by CORRECTIV – they “strictly adhered to all professional procedures” and were cooperating “closely with the authorities”. It remained unclear which procedures were involved.
The file, which the editorial team has access to, contains around 70,000 personal details. This includes lists of members and information on supporters and so-called “state representatives”. The most recent data is from June of this year and could still be downloaded from the website at that time. An informant even confirmed to CORRECTIV that the leak was not closed despite massive public reporting after the first incident in March. CORRECTIV cannot independently verify this.
The Baden-Württemberg data protection authority announced that the association had informed them in March. They then requested information from them. However, the response left questions unanswered, “particularly regarding the cause of the data breach,” so they had to contact the association again. The process is still ongoing. On Monday evening, another data breach report was received from the association, but nothing further can be said about this.
Party presents itself as a victim
The renewed data leak could also have financial consequences. Victims of data leaks are generally entitled to compensation if they suffer significant damage as a result. Those affected can be entitled to up to several hundred euros per person. In addition, the authorities can impose fines of up to twenty million euros in accordance with Art. 83 GDPR.
On Monday, CORRECTIV contacted more than 150 people who appear in the new data leak and asked them whether they had already been informed about the data leak before we asked the party. The first people responded by this morning. The BSW newsletter reported on a general data breach.
After CORRECTIV sent the party a list of questions on Monday morning, the party itself drew attention to the data breach in a newsletter to its supporters late on Monday evening – gave the incident a different spin: The BSW had “probably become the target of a cyber attack”. In the newsletter, the party also announced that it had immediately reported the incident to the public prosecutor’s office and the relevant data protection authorities. The alliance also wrote: “Unfortunately, Correctiv did not want to provide us with this data set”, but the editorial team had not asked about it.
In response to CORRECTIV’s questions about how the current data breach came about, when the party became aware of it and why security gaps that had apparently existed for some time had not been closed, the party did not provide any information: The party did not wish to comment on ongoing investigations or internal party matters, the press office said.
First data leak in March
A data leak at the BSW had already become known in March. It allowed unauthorized persons to access the personal data of donors and newsletter subscribers. Immediately after the incident became known, the BSW informed the responsible data protection authorities, as they have now confirmed in response to a request from CORRECTIV.
At that time, the email addresses of around 5,000 donors and 30,000 newsletter subscribers were affected. BSW treasurer Ralph Suikat explained at the time SpiegelThe alliance has prepared a criminal complaint against unknown persons and has contacted its service providers to review security measures.
When asked, the public prosecutor’s office in Karlsruhe confirmed that it was conducting an investigation. The party’s press office said, “After the incident in March, the computer in question was forensically examined and the procedures checked, but no compromise was found.” Therefore, they suspect a “targeted attack on an external, but carefully selected email service provider.”
However, in light of the new data leak, it is questionable what measures were subsequently taken by the party and its external service provider. The data set not only contains personal contact information, but also lists the people as members, includes information about participation in election parties and details about supporters in various federal states and 42 so-called “state representatives”. In fact, the names of the “state representatives” largely match members of the Bundestag, party executives, state parliament candidates and other officials, which provides an insight into the party structure.
The leak was apparently only closed after activist Ornella Allami, known online as “N3LL4,” publicly drew attention to the vulnerability in early JuneHowever, it is not possible to independently verify whether this process is exactly the same.
Question about the role of the supervisory authorities
The party’s renewed data leak also raises the question of how seriously the responsible data protection officers investigated the causes of the first leak. According to Article 83(1), the authorities have a duty to impose “effective, proportionate and dissuasive” penalties in each individual case.
The incident in March happened at the party’s supporters’ association, said a spokeswoman for the BSW at the time – the association is based in Baden-Württemberg. Therefore, the Baden-Württemberg data protection officer was responsible. However, the Berlin data protection officer is responsible for the party itself. Both authorities confirmed in response to CORRECTIV’s request that they had been informed at the time. According to the Baden-Württemberg data protection officer, data transfer between the association and the party requires a separate legal basis.
When asked what they would do as a result, the Berlin authority wrote that it was not really responsible, but rather their colleagues in Baden-Württemberg.
Whether the incident actually gives rise to claims for damages and, if so, against whom they should be directed, will probably require judicial clarification. Whether this happens also depends on whether the injured parties file a lawsuit. In such cases, damages must be claimed individually.
In many cases, however, the legal costs exceed the potential compensation, which deters victims from filing lawsuits. And it is questionable whether the party’s supporters and members will decide to take legal action against them. However, if it turns out that violations of data protection and data security have occurred, those responsible face heavy fines.
Research: Shammi Haque, Alexej Hock, Anna Kassin, Jean Peters, Leon Ueberall
Editor: Anette Dowideit
Fact check: Gesa Steeger
