A data leak in the EU Parliament resulted in the personal data of more than 8,000 current and former employees being accessed. The European Center for Digital Rights has therefore now filed two complaints with the European Data Protection Supervisor.
In May 2024, the EU Parliament informed its employees about a massive data leak in the recruitment platform “PEOPLE”. However, the data breach had already occurred several months earlier.
Criminals had access to sensitive data of more than 8,000 current and former employees. NOYB, the European Centre for Digital Rights, has therefore now filed two complaints on behalf of four Parliament employees with the European Data Protection Supervisor (EDPS).
Data leak in the EU Parliament makes sensitive data vulnerable
Anyone who wants to apply for a job at the European Parliament must first register on the recruitment platform “PEOPLE”. During the registration process, interested parties must also provide a lot of personal information.
But they also have to upload documents here. These include identity cards and passports as well as residence and education documents. Applicants also provide criminal records and marriage certificates here.
But it was precisely at this point in the application process that an enormous data leak occurred at the EU Parliament. On April 26, 2024, the EU Parliament informed the European Data Protection Supervisor about the data breach.
The employees were informed at the beginning of May. However, the data breach had already occurred several months ago. However, according to NOYB, it is still not clear when exactly the data was accessed and how it happened.
However, the EU Parliament informed its staff that all documents uploaded to “PEOPLE” had been compromised. Therefore, the Parliament also advised people to have their passports and ID cards renewed. The Parliament would cover the resulting costs.
IT vulnerabilities are not new at EU level
But according to NOYB, this incident is hardly surprising, as Parliament has “long been aware of vulnerabilities in its own cybersecurity.”
“This data breach follows a series of cybersecurity incidents in EU institutions over the past year,” explains Lorea Mendiguren, data protection lawyer at NOYB. “Parliament has an obligation to take appropriate security measures. After all, staff are a popular target for malicious actors.”
As early as November 2023, the IT department of the EU Parliament came to a sobering conclusion after examining its own systems. The company's own cybersecurity “does not yet meet industry standards,” the report said.
The existing measures do not “fully address the level of threat” posed by state-sponsored hackers.
“As an EU citizen, it is worrying that the EU institutions are still so vulnerable to attacks,” complains Max Schrems, Chairman of NOYB. “Having such sensitive information in circulation is not only frightening for those affected. It can also be used to influence democratic decisions.”
Data leak in the EU Parliament: NOYB files two complaints
Due to the incidents, NOYB has now filed two complaints on behalf of four employees with the European Data Protection Supervisor. According to NOYB, the EU Parliament appears to be violating Articles 4(1)(c) and (f) and 33(1) of the EU GDPR.
The EU Parliament must bring its data processing into line with the GDPR regulations. These include, for example, principles for data minimization and storage limitation.
EU institutions may only process data that is “adequate, relevant and limited to what is necessary for the purposes of the processing”. Nevertheless, the retention period of the recruitment platform is ten years.
Particularly sensitive data is also included here. This can provide information about sexual orientation, ethnic affiliation or political beliefs. This means that it is particularly protected data in accordance with Article 9 of the EU GDPR.
Also interesting:
Source: https://www.basicthinking.de/blog/2024/08/22/datenleck-eu-parlament/