Die Linke Confirms Data Stolen in Qilin Ransomware Attack

What happened

Die Linke confirmed that data was stolen in a ransomware attack claimed by the Qilin group after attackers gained access to the party’s internal IT systems. The party said the intrusion affected internal communications, administrative files, and personal data. According to the report, Qilin listed Die Linke on its leak site and claimed to have taken around 1.5 terabytes of data. The party said an initial review found no evidence that highly sensitive membership databases or donation records were affected, but it acknowledged that other internal data was compromised. Die Linke said it informed data protection authorities, involved law enforcement, and began notifying potentially affected individuals while working with external forensic specialists to investigate the full scope of the incident.

Who is affected

The direct exposure affects Die Linke and individuals whose personal data or internal communications were stored in the compromised systems. The party said the breach involved administrative and internal information, though it did not confirm exposure of its highly sensitive membership or donation databases.

Why CISOs should care

This incident matters because it involves a political organization handling internal communications and personal data, with the attackers also using a public leak site to pressure the victim. It also shows how early scoping after a ransomware attack may distinguish between confirmed compromised data and other highly sensitive systems that, at least initially, do not appear affected.

3 practical actions

1. Separate confirmed exposure from critical-system assumptions: Move quickly to establish which datasets were actually accessed so leadership does not overstate or understate the scope of compromise.
2. Prepare for leak-site pressure alongside incident response: Ensure legal, communications, and security teams are ready for situations where attackers publicly claim large-scale theft before the full internal review is complete.
3. Prioritize notification and regulatory coordination early: Align forensic review with data protection and individual notification obligations as soon as personal data exposure is suspected.

For more news about ransomware incidents involving stolen internal data, click Ransomware to read more.