The Bundesamt für Sicherheit in der Informationstechnik (German Federal Office for Information Security) (BSI) is the German federal agency in charge of managing computer and communication security -- critical infrastructure protection, internet security, certification of security products -- for the German government. It also advises manufacturers, distributors, and users on identifying and minimizing data security risks. Like many organizations, when the GDI needs to send or receive an encrypted email, it relies on the OpenPGP standard. It creates a public/private keypair and then shares the public key with anyone who wants to send a message. That not only allows senders to know only BSI can decrypt their messages but also verify it was indeed BSI who replied to it.
Early this month Golem.de reported that the BSI, when asked for the public key by someone who wanted to submit confidential information, accidentally sent the corresponding private key. Eventually this key was revoked and a new keypair was issued, but that happened only after Golem.de contacted the BSI.
- How long has the BSI known of that data breach? Per GDPR's Article 33, a data breach should be reported to the nearest Data Protection Authority within 72 hours of the Data Controller, in this case the BSI, becoming aware of it.
- How long did it take for its Data Privacy Officer (DPO) to inform the data subjects? Per the Golem.de article, the BSI kept using this key pair for months after the incident.
- How many data subjects were affected by this data breach?
- Has it immediately created a new keypair and let all those who rely on that know of the incident and receive the new public key? According to the Golem.de article, the BSI still used that keypair for months after the incident.
- The BSI stated the key was password protected. One must assume the (accidental) recipient of this email had the password. However, we have no idea of the strength of password. Because of how the SMTP protocol works, there are many opportunities to get a copy of the email containing the encrypted key as attachment. And then, it becomes the classic password cracking routing in the comfort of your home.
While many are looking at this event from a security standpoint, this really should be seen from the privacy standpoint:
- The impact on the privacy of those who have used this compromised key is yet to be understood. How much personal data has been exchanged using this very key under the assumption it was protected from prying eyes? This encryption key is probably only used to transmit sensitive data; once it is received, it is downloaded, extracted, decoded, and then acted upon. So, unless it is deleted, it is stored in encrypted format at the customer's and the BSI destination mail accounts. And it is possible that the mail transfer agents (MTA) that act as hops between them, storing and relying to the next hop, also keep a copy for a period of time.
- While they probably did a Data Protection Impact Assessment (DPIA), one must assume this kind of data breach was not a possibility they considered. However, hindsight is always 20/20: it very easy to, after this breach is exposed, point fingers at them, but I would like to know any company which accounted for this in their risks from their accidental or unauthorized actions list before this incident.
- Privacy by design is a lofty goal, but in reality it can never be fully achieved. Best we can do is take this as a teaching moment. For instance, we expect that the BSI will now implement a system in which private keys can be used but not directly accessed.