CDU: List of candidates was freely available online
The CDU has a security leak in its online application platform. Names of applicants could be viewed publicly.
(Image: Shutterstock/Electric Egg)
The Christian Democratic Union of Germany has another IT security problem. After professional attackers recently made life difficult for the party by exploiting security gaps in the IT security supply chain and online activists targeted its votes, the CDU now has a classic data leak: the names of over 4,800 applicants for positions in the Konrad Adenauer House and CDU branches were freely accessible – and the CDU was obviously unaware.
The data leak that has now been discovered has nothing to do with criminal energy: Unlike the "most serious attack on an IT structure that a political party in Germany has ever experienced", as CDU leader Friedrich Merz called the attack on the IT infrastructure of the Konrad Adenauer House, and which is said to have taken place using zero-day exploits, the data leak that has now come to light is a completely home-grown problem.
4870 candidate names publicly visible
The application platform of the CDU and its branches is based on Drupal. This was configured in such a way that the names of users could be viewed via an account list function by calling up a function via the URL: a total of 4870 entries. According to the source code, the Drupal used for the jobs.cdu.de page used templates from the CDU's own service provider Union Betriebs-GmbH.
Further information about the applicants other than their surnames and first names was not publicly visible. However, the mere fact that people are interested in jobs with the CDU or its subdivisions is likely to be a sensitive and particularly sensitive personal characteristic within the meaning of the General Data Protection Regulation (GDPR).
CDU shuts down platform after tip-off from heise online
The CDU press spokesperson did not respond to a request for comment from heise online on Tuesday afternoon by the editorial deadline. At 16:30, however, the CDU switched the entire job platform to maintenance mode. However, the link to the applicant overview had been circulating on relevant websites for several days beforehand.
The supervisory authority responsible for data protection at the political parties is the Berlin State Data Protection Commissioner. They are now aware of the matter.
Oldest entries almost a decade old
According to statements from people involved in the data leak, the self-service platform for people interested in CDU jobs has been active since around 2016 – the oldest entries apparently date back to that time. More recent entries from recent months were also publicly available on the platform. New registrations immediately appeared in the list of candidate profiles as soon as the email address for the profile was confirmed by the user, as a test by heise online showed.
(Image: Falk Steiner / heise online (Screenshot))
The CDU has already had problems with the IT security of its online applications in the past. Following a criminal complaint filed by the CDU against Berlin activist Lilith Wittmann, which later came to nothing, the Chaos Computer Club announced that it would no longer report any security vulnerabilities found to the CDU in the future.
(olb)
