EU Parliament hacked, confidential data of 1200 officials leaked

No one is safe from cybersecurity incidents, not even international agencies with large technological resources and complete equipment dedicated to their security. In a recent statement, the European Parliament (EP) revealed that a data breach compromised the information of more than a thousand of its members and officials.

The incident was confirmed this weekend by Marcel Kolaja, the EP’s vice president for IT policy. The data committed includes 1,200 accounts of elected officials and EP staff, along with nearly 15,000 professional accounts collaborating on the various affairs of the European Union.

The official also reported that the records exposed include confidential details, such as login credentials to PE systems and encrypted passwords. Apparently, the incident originated from a system executed under the official domain of the EP (europarl.eu), although the compromised data were not hosted by the institution itself, so the incident is not considered an attack on the EP systems: “The system in question is a system run by a particular political group; the compromised data belongs to that political group, which was informed about the incident immediately,” Kolaja added.

The official did not add further details about the political group affected; however, a specialized medium may have known that it is the European People’s Party (EPP), the EP’s largest political faction. Pedro Lopez de Pablo, spokesman for the affected group, confirmed the incident soon after, informing those affected via email.   

The spokesperson added that the compromised database is out of date, and it only contains information from users subscribed to its old website in 2018: “The compromised site has ceased to be in use since January 2019, when we launched our new website. Our updated servers and databases are completely safe,” he concluded.   

The incident was detected and reported by researchers at cybersecurity firm Shadowmap, who discovered files with data such as passwords, job descriptions, as well as personal details exposed on an Internet portal used by Parliament officials.

The information provided also includes a list of the names of thousands of people affiliated with various political institutions, including members of European Union agencies and authorities, such as Europol, the European Data Protection Supervisor, Frontex, among other agencies.

Yash Kadakia, founder of Shadowmap, notes that his team discovered the compromised information during a routine scan, which is part of its cybersecurity services. Kadakia mentions that it is likely that threat actors could have accessed the compromised information before administrators noticed the leak, exposing other websites and users, as the information remained exposed for some time. Finally, the expert added that the drivers of the exposed information should inform users exposed as soon as possible to prevent risks of additional attacks.