Politicians from several parties questioned why the Federal Office for Information Security, or BSI, didn't alert Parliament about the suspected hacking case when it first came to light in December. In a statement, the agency acknowledged it was approached by one lawmaker about suspicious activity on his private email and social media accounts in early December, but said it believed at the time his experience was a one-off case.
"The BSI took this case very serious and took it up with the National Cyber Defense Center," the agency said in a statement, adding that it wasn't aware of the planned mass online leak of data that occurred Thursday via Twitter.
"It was impossible to foresee at the start of December 2018 that there would be further cases," the BSI said. The statement appeared to contradict comments by BSI chief Arne Schoenbohm, who told public broadcaster Phoenix on Friday his agency had spoken to "individual lawmakers who were affected by this very early on in December."
As many as 1,000 German politicians and celebrities are believed to have been affected by the breach of data that includes private addresses, cellphone numbers, chat records and credit card numbers. Authorities are still investigating who was behind the theft and publication of the information, which didn't include any data on lawmakers from the far-right Alternative for Germany party.
The information, while potentially embarrassing to some lawmakers, doesn't appear to have revealed any major political scandals. The leak has once again sparked debate about cybersecurity in Germany. German news agency dpa reported the country's federal police agency wasn't alerted to the data breach until Thursday night.
Manuel Hoeferlin, a lawmaker with the Free Democratic Party, was quoted telling dpa the BSI should "critically examine" its procedures. Social Democratic Party lawmaker Jens Zimmermann told the Handelsblatt daily newspaper it was "extremely unsatisfactory" some parliamentarians only learned of the hack through the media.
A German YouTube star whose Twitter account, @unge, was hijacked last week to disseminate links to the stolen material, said Saturday it appeared human error was to blame in his case. Simon Unge, whose real name is Simon Wiefels, said the perpetrator first gained access to his email account and then convinced a Twitter employee to disable a second security check required to take control of his account on the social networking site.
Twitter didn't immediately respond to a request for comment and it wasn't clear how many of those affected by the leak had such "two-factor authentication" enabled for their email or social media accounts, and whether the hacker similarly managed to bypass it.
The BSI said it currently believes government networks weren't compromised.