A collection of private and sensitive information of more than a thousand members, including staff of the European Parliament was leaked and left exposed in what can only be considered a huge data breach on the European organization’s domain.
As reported over the weekend, the leaked data allegedly includes about 1,200 accounts of parliament officials, including their whole staff, along with 15,000 other professionals’ accounts from the EU affairs office. This collective information was confirmed to have been exposed as stated by the Office of European Parliament via its vice president for IT policies, Marcel Kolaja.
The alleged breach was first documented by an Indian Cybersecurity firm, stating that the unprotected data contained account, passwords, internal job details, and other personal information of Parliament staff and officials. There were also information relating to political parties, EU agencies with links to other political institutions, European Law Enforcement organizations, Frontex, and even European Data Protection offices.
According to Kolaja, the leaked data was also verified to have included EU officials’ account encrypted passwords. He mentioned that all the information came from a network that has been managed by the European Parliament’s official domain – europarl.eu – through a system owned by a particular political group, although it was confirmed that the data was not hosted from the EU institution itself. The group was immediately notified of the incident in order for them to take the necessary steps.
There was no official mention of the political group that was affected but there are indications that the group involved is the EPP (European People’s Party), the largest political group in the Parliament.
Pedro Lopez de Pablo, a spokesperson for the group confirmed that one of their databases containing account information had indeed been exposed.
Nonetheless, de Pablo commented that the database was an outdated one and the leaked information was from their old 2018 website that is no longer used since the release of the 2019 website. He claims that the current servers and database were not included in the attack.
Without downplaying the severity of the issue, de Pablo also noted that even if the affected users or staff still used the same passwords they had in their emails and accounts on the website since 2018, it shouldn’t have any affect on them because the Parliament’s system automatically forces users to change their password every 3-months. The EPP is currently going through the affected email list in order to notify the people as stated in the European Data Protection policies.
Officials and cybersecurity experts have somehow traced the issue to the Parliament’s CERT (Computer Emergency Response Team) last week. The Indian cybersecurity firm came across the exposed data while scanning the web for unprotected and possibly leaked data – as part of their security protocols. They disclosed that the data seems to have been sitting there for quite some time.
The Parliament’s VP for IT policies, Kolaja, is an accomplished software engineer. He warns the EU Parliament regarding the severity of this attack and stated that this security event is “quite serious”. As of this writing, all leaked passwords have been analyzed, hashed, and taken offline.
