According to the “internationally active cybersecurity team,” Kaduu, the personal information, passwords, and other account data of 37 parliamentarians leaked online. Politicians from all parties are included in a database dump that Kaduu found on the darknet. Much of the information had originated from the Dropbox and LinkedIn dumps from years ago.
Kaduu, like so many similar firms, provides a “Deepweb” analysis service. The company searches for information on relevant parties (likely only for clients, save for the National Council). Given that much of the information pulled from the Dropbox or Yahoo database dumps grew stale, Kaduu reportedly found that information offered for free. For more valuable databases and leaks, the company often pays the fee charged by the darknet vendor.
The company claims that their darknet monitoring service—whatever that means anymore—examines a client’s “sensitive and business-relevant information” as it appears on the deepweb. Sources of information include “the darknet,” forums, IRC chats, “dump bots,” and cloud storage accounts. In this discovery the company sent “undercover” analysts to verify more valuable, recent data offered by data brokers and vendors.
Some individuals fared worse than others, For instance, the president of the Democratic Party of Switzerland, Christian Levrat, appeared in the database twice. Both times in connection with his Dropbox account and with two emails: his private Bluewin address and his official Parl.ch address. He explained that any data obtained using the password on that account was “rubbish data” and templates from his campaign posters. Levrat added that the breach had given him a good opportunity to catch up with his habitual password changing.
SVP National Councilor Heinz Brand never changed his passwords, but claimed that he would never email something sensitive. “When in doubt, letter mail it,” Brand said. Vaudländer GLP Isabelle Chevall denied even having a Dropbox account, but when confronted with the fact that she currently used the same username and password for other services, she admitted that she had created a Dropbox account, but she never used it for anything but personal data.
She added that if anyone wanted access to her Dropbox account, it was only to amuse themselves. She said that like Brand, she would never use email to exchange confidential information. If she did, it was only through her parl.ch email address.
This incident has encouraged officials to issue guidelines on parliamentary use of the internet. In an email to a journalist, an official said that the biggest problem was not with personal use of the government email, but instead with password reuse. Something that plagues Dream vendors and parliament members alike.