Passports, criminal records leaked in EU Parliament data breach

Identity cards, passports, excerpts of criminal records, and work experience documents were among the personal data of European Parliament employees compromised in a data breach, according to an internal email sent on Monday (22 May) and seen by Euractiv.

The European Parliament notified its staff about a data breach in the recruitment application PEOPLE, used for hiring non-permanent staff, Euractiv reported on 6 May.

The breach took place at the start of 2024 and was confirmed on 25 April by Kristian Knudsen, a director-general, in an email.

On Monday (22 May), a new email, sent by the PEOPLE application team and seen by Euractiv, detailed to individual employees which documents uploaded in the PEOPLE app were part of the breach. In the emails seen by Euractiv, almost all the uploaded documents were listed as being affected.

“After analysis, all active and non-active users were provided with detailed information on 22/05, in line with the recommendation of the EDPS,” a Parliament spokesperson told Euractiv.

It is still unknown whether the breach was the result of hacking or other vulnerability. The Parliament spokesperson did not comment on Euractiv’s inquiry on 23 May as to how many people were affected.

The PEOPLE application, an HR tool, was deactivated after the data breach. Staff were advised to reset passwords and be cautious of suspicious messages.

The European Data Protection Supervisor (EDPS) and Luxembourg’s national authority are still investigating the breach.

The affected documents also relate to civil status, residence and domicile, education or experience, military obligations, declarations of honour, documents to establish individual entitlement, and contracts.

The Parliament’s cybersecurity experts and the Luxembourg Police “continue to carry out in-depth analysis in order to clarify all the circumstances surrounding the breach,” the Parliament spokesperson added.

“The PEOPLE application is in the process of being secured and will soon be back online,” the email reads.

However, those not in the recruitment procedure anymore, cannot access their account.

Employees concerned

“Our identities can be basically stolen and our data can be misused,” wrote Dávid Kardos, accredited parliamentary assistant (APA) for MEPs Anna Donáth and Katalin Cseh in an email to the APA Committee sent on 23 May and seen by Euractiv.

The APA also expressed dissatisfaction about the lack of sufficient information about the data breach and possible investigation, as well as the lack of advice from the Parliament on how employees can secure their data.

They asked why there “was not even a single piece of recommendation offered,” if they needed to change their ID documents and how to handle unchangeable data.

In his email, Kardos questioned the delayed notification about the leak, which occurred at the beginning of the year, and asked about any ongoing investigations and potential suspects, including whether there is a possibility of third-country involvement.

“I wonder why they came forward with this now when the parliamentary term is already over,” he told Euractiv.

[Edited by Alice Taylor]

Read more with Euractiv