Passports, criminal records leaked in EU Parliament data breach

Content-Type:

News Based on facts, either observed and verified directly by the reporter, or reported and verified from knowledgeable sources.

[MMD Creative/Shutterstock]

Identity cards, passports, excerpts of criminal records, and work experience documents were among the personal data of European Parliament employees compromised in a data breach, according to an internal email sent on Wednesday (22 May) and seen by Euractiv.

The European Parliament notified its staff about a data breach in the recruitment application PEOPLE, used for hiring non-permanent staff, Euractiv reported on 6 May.

The breach took place at the start of 2024 and was confirmed on 25 April by Kristian Knudsen, a director-general, in an email.

On Wednesday (22 May), a new email, sent by the PEOPLE application team and seen by Euractiv, detailed to individual employees, which documents uploaded in the PEOPLE app were part of the breach. In the emails seen by Euractiv, almost all the uploaded documents were listed as being affected.

“After analysis, all active and non-active users were provided with detailed information on 22/05, in line with the recommendation of the European Data Protection Supervisor (EDPS),” a Parliament spokesperson told Euractiv.

Former employees of the Parliament were also notified via email that some of their personal data was impacted, sources told Euractiv. In some instances, this included data that was no longer up-to-date.

It is still unknown whether the breach was the result of hacking or other vulnerability. The Parliament spokesperson did not comment on Euractiv’s inquiry on 23 May as to how many people were affected.

The PEOPLE application, an HR tool, was deactivated after the data breach. Staff were advised to reset passwords and be cautious of suspicious messages.

The EDPS and Luxembourg’s national authority are still investigating the breach.

The affected documents also relate to civil status, residence and domicile, education or experience, military obligations, declarations of honour, documents to establish individual entitlement, and contracts.

The Parliament’s cybersecurity experts and the Luxembourg Police “continue to carry out in-depth analysis in order to clarify all the circumstances surrounding the breach,” the Parliament spokesperson added.

“The PEOPLE application is in the process of being secured and will soon be back online,” the email reads.

However, those not in the recruitment procedure anymore, cannot access their account.

European Parliament's recruitment application compromised in data breach

The European Parliament sent on Monday (6 May) an internal notification to its staff, seen by Euractiv, about a data breach in the application PEOPLE, used for the recruitment of the institution’s non-permanent staff.

Employees concerned

“Our identities can be basically stolen and our data can be misused,” wrote Dávid Kardos, accredited parliamentary assistant (APA) for MEPs Anna Donáth and Katalin Cseh in an email to the Accredited Parliamentary Assistants Committee sent on 23 May and seen by Euractiv.

The APA also expressed dissatisfaction about the lack of sufficient information about the data breach and possible investigation, as well as the lack of advice from the Parliament on how employees can secure their data.

They asked why there “was not even a single piece of recommendation offered,” if they needed to change their ID documents and how to handle unchangeable data.

In his email, Kardos questioned the delayed notification about the leak, which occurred at the beginning of the year, and asked about any ongoing investigations and potential suspects, including whether there is a possibility of third-country involvement.

“I wonder why they came forward with this now when the parliamentary term is already over,” he told Euractiv.

[Edited Eliza Gkritsi/by Alice Taylor]

Read more with Euractiv

Subscribe to our newsletters

Subscribe