Investigators searched his family's apartment in central Hesse state Sunday evening before detaining him. The search didn't immediately turn up "objective indications of any particular political motivation," Ungefuk said at a televised news conference.
The student has no previous convictions and appeared to regret his actions, Ungefuk said. The suspect, who wasn't identified in line with German privacy regulations, told investigators "he acted out of annoyance at public statements by the politicians, journalists and public personalities involved," the spokesman said.
Authorities say almost 1,000 people were affected by the data breach. In most cases, the information published online was limited to basic contact details, but in up to 60 cases more extensive personal data was made public. It was posted via Twitter before Christmas, but only came to most people's attention late last week.
The information appeared to include data on members of all parties in parliament except those from the far-right Alternative for Germany party. The man "said that he acted alone in illegally obtaining data and then publishing it," Ungefuk said. Investigations so far have produced no evidence that anyone else was involved, he added.
The suspect was released Monday for lack of legal grounds that would justify keeping him in custody, such as a risk of collusion or flight risk. He could face charges of illegally obtaining data and handling stolen data, which can carry a sentence of up to three years in prison for adults. However, this case is being considered under juvenile law, which carries lesser sentences.
Ungefuk noted that the suspect has cooperated with investigators, helping them recover data he deleted after the case became public. It wasn't immediately clear when the hacking started. Investigators say the suspect also collected publicly available information on the politicians, journalists and others. The data included telephone numbers, addresses, credit card details, photos and communications.
He published the material using links posted on Twitter accounts, including one with the handle "G0d," investigators said. The account, along with another the suspect had used, was suspended Friday. Holger Muench, the head of Germany's Federal Criminal Police Office, said the suspect apparently didn't use malware but instead "hacking methods to overcome passwords."
Inadequate passwords generally are the main cause of hacked data, Muench said, adding that investigators don't believe the student's motive was predominantly political. Questions have been raised about the way the data breach was handled by Germany's IT security agency, after it emerged that it was made aware of it weeks before the extent of the data collection became clear on Thursday night.
The IT security agency has acknowledged that it was approached by one lawmaker about suspicious activity on his private email and social media accounts in early December, but said it believed at the time his experience was a one-time case.
Officials defended their response to the case Tuesday, though Interior Minister Horst Seehofer pointed to efforts already underway to bolster cybersecurity. "We will have to see that we establish an early-warning system," Seehofer said.