The European Parliament sent on Monday (6 May) an internal notification to its staff, seen by Euractiv, about a data breach in the application PEOPLE, used for the recruitment of the institution’s non-permanent staff.
On 25 April, following assessments by Parliament’s cybersecurity specialists, it was confirmed that PEOPLE, the external application based in Luxembourg and created to facilitate the hiring procedures for temporary staff, experienced a data breach, the email reads.
The Parliament’s temporary staff may include interns, consultants, contract agents, or assistants.
The notification, seen by Euractiv, was sent by Kristian Knudsen, a director-general at the European Parliament, on Monday (6 May).
Recipients were informed about the possibility that the breach “may have exposed your personal data to unauthorised access by external parties”.
According to the email by Knudsen, “the incident occurred at the beginning of 2024.”
A Parliament spokesperson told Euractiv that the Parliament’s infrastructure was not compromised. It is currently unknown whether the breach was the result of hacking.
Steps taken
The PEOPLE application was deactivated, and the vulnerability was addressed, the email said.
“The competent services are looking into each one of the personal files to determine if/what data have been affected,” the email said, adding that employees “will be notified of further developments concerning you in the coming days”.
According to the notification, ongoing technical inquiries also aim to ascertain the cause and scope of the breach and further precautionary measures are being implemented before restoring the application’s functionality.
European Data Protection Supervisor
The notification also mentioned that the European Data Protection Supervisor (EDPS) was informed of the breach on 26 April and the competent national authority in Luxembourg was also notified.
“Parliament is in constant contact with the European Data Protection Supervisor to ensure full compliance with the Regulation in force to protect your privacy and your personal data,” the email said.
The EDPS confirmed to Euractiv that they had been notified about the breach in less than 72 hours from the moment the Parliament became aware of it.
“We have acted immediately to make sure that the rights and freedoms of the affected data subjects are protected, and actively supported the Europan Parliament and its Data Protection Officer in all necessary actions for this personal data breach,” the EDPS told Euractiv.
It said they “are currently waiting for the final conclusions on the personal data breach notification.”
The email is in accordance with Regulation 2018/1725’s Article 34, which is about “Notification of a personal data breach to the European Data Protection Supervisor.”
Regulation 2018/1725 concerns data protection within the EU institutions, bodies, offices, and agencies and the processing of personal data by these entities, ensuring compliance with data protection principles and safeguarding individuals’ rights to privacy within the EU institutions.
In March, the EDPS found that the European Commission had violated this regulation in its use of Microsoft 365, leading to the imposition of corrective measures.
Suggestions
The notification suggested some preventive measures for staff, “irrespective of whether or not your data has been accessed”.
These include suggestions to reset passwords for all Parliament applications and private email used during recruitment, and exercise caution when receiving messages from unknown or fake Parliament accounts, particularly concerning personal information.
Staff were also advised to inform their relatives and close friends about the data breach to prevent them from falling for scams or requests for personal information or money.
The breach comes just one month before the EU Parliament elections on 6-9 June, amid growing fears of cyber interference and disinformation campaigns.
In February, another internal email, reported by Politico, revealed that Parliament’s defence committee was the subject of phone hacking, following insiders’ opinion that the EU institution’s cybersecurity is not ready for the elections and the accompanying possible attacks.
Also in February, Euractiv reported that the Parliament’s usage of TikTok in campaigning for the June EU elections, despite prior cybersecurity bans, raises questions about its secure implementation.
[Edited by Zoran Radosavljevic]