Now, I'm pretty confident to say that this is obviously just a red herring to distract from the fact that Frau Klöckner simply fell for a phishing attack. The usage of Signal wasn't the real problem (besides that it isn't formally approved for comms).

But since this whole ordeal started, I'm divided where to place the blame (besides the attacker, of course):

- Can we really victim-blame someone for falling for an attack? Sure, people in positions this important should know better, but I don't think we should put the blame on the victim. - Should we blame Signal for even providing the functionality that allowed the phishing in the first place? Signal announced changes that supposedly makes phishing harder, so apparently, something could've been improved before? - Should we blame the software-world entirely that having credentials that can be shared is even a thing? (Looking at passkeys) - Should we blame society that the knowledge about phishing attacks isn't ingrained into every person? (being a bit hyperbolic here) - Should we blame the administrative staff that allowed exposed politicians to even have apps that make phishing possible? It would be possible to make a super-secure messenger that needs much more verification than just "having the credentials". It's just super annoying and impractical for most people. Should we prevent exposed politicians from even having access to not super-secure messengers?

I feel like things could be improved to prevent phishing attacks in the future. I just don't know what is the most sensible point to start.

Sure, but maybe your red herring is just another red herring: the phishing attack is just as good an excuse as any to switch from an US based messenger to an EU based one.

> Can we really victim-blame someone for falling for an attack

The victims may well be those who are potentially endangered by the leakage of information caused by the decision maker. Regardless of that hypothetical, the person responsible for the leak is not the victim.

If you deal with highly confidential information in your day-to-day work, you should be held accountable for keeping it confidential. This is nothing new in the corporate world, so I don't see why public officials should be held to different standards.

Remember: It was apparently a phishing attack. Someone literally asked her for her credentials. It is within the capabilities of an adult to refrain from handing out important information when asked in a no trust environment. If that's truly beyond their capabilities, they should consider another profession.

I'm not arguing for a witch-hunt or anything against this specific person. Learnings should be constructive and this could have happened to many other public officials. Just, maybe.. if you or I breach protocol, let's not call us the victims.

Media education would be a great start.