Information by a cybersecurity firm reveals the EU parliament suffered a major data breach exposing sensitive data of over a thousand staff and members of the European Parliament. The tons of data leaked came from over 1,200 accounts of elected members of the European Parliament alongside 15,000 other accounts of EU affairs professionals, according to the parliament’s Vice President for IT policy, Marcel Kolaja. The breach was detected through a random scanning of the internet for unprotected data by an Indian Cybersecurity firm, Shadowmap. Kolaja said the large amount of data involved in the breach prompted the parliament to investigate if any laws were violated.
The nature of the sensitive data leaked
The founder of the cybersecurity firm which discovered the leaked sensitive data, Yash Kadakia, told Politico the exposed records contained sensitive personal information, passwords, job descriptions, and other sensitive information. The data also includes information of people with links to various political groups, EU agencies, and authorities such as international law enforcement agency, Europol, border agencies such as Frontex, and the European Data Protection Supervisor (EDPS). The source of the sensitive data in the EU parliament breach was a system run under the europarl.eu domain but whose database was not hosted by the institution itself. The system in question was operated by the European People’s Party (EPP), which is the largest political group in the parliament, headed by Donald Tusk. The faction ran an internet portal that was accessible on the EU parliament website. The sensitive data had been exposed for a long time, according to the Shadowmap founder. On detection, the breach was flagged to the Parliament’s Computer Emergency Response Team, and access to the sensitive data was restricted shortly after.
Response from the affected faction of the EU Parliament
The EPP group spokesperson Pedro López de Pablo confirmed that sensitive data belonging to thousands of accounts of elected officials was leaked in the incident. He said the leaked data was outdated and belonged to members who subscribed to the old website in 2018. He added that the group had launched a new website in 2019 whose information was not affected by the reported breach. The leaked data did not pose a threat to the current system because the new website forces its users to reset a password after three months, according to Lopez. The party spokesperson also said they were verifying the emails and would inform the affected people in line with the European Union data protection regulations.
Although hackers may not use the login information to access online systems directly, the access of sensitive data of high-profile individuals in the EU parliament could have massive repercussions. The disclosure of information regarding political affiliations could expose the individuals to targeted political messages and physical security threats, while the exposure of personal information exposed them to phishing attacks. Similarly, the exposure of information related to European agencies such as the European Data Protection Supervisor, Europol, and Frontex could have serious security implications both online and in real life. The access of the sensitive data of over a thousand staff and members of the EU parliament and agencies by a political faction also raises eyebrows at the EU parliament’s data protection policies. The EU Parliament should ensure only trustworthy and capable organizations could be affiliated with its information systems.