European Parliament election prep unearthed data breach
The breach, dating back to early 2024, was uncovered two weeks ago as the European Parliament intensified efforts to reinforce its cybersecurity in preparation for the upcoming European elections in June, a press officer from the European Parliament told Euronews.
The compromised application which has now been taken offline is called 'PEOPLE', and collated sensitive information related to around 8,000 candidates for temporary positions (including parliamentary assistants and contractual agents) and provided them with details about the recruitment process. "All active or past users potentially affected by the data breach were duly notified," according to the press officer. Notifications were also sent to the European Data Protection Supervisor (EDPS) and authorities in Luxembourg, where PEOPLE is headquartered.
The Parliament assured Euronews that its infrastructure was not compromised. However, the extent and the origin of the breach remain unknown, raising concerns that it might have been the result of a foreign cyberattack.
Slow response
This incident is not the first cybersecurity challenge faced by the institution. In 2020, personal data related to 1,200 EU officials, including lawmakers and staff, were exposed online. In 2022, the EP's website was targeted by hackers believed to be of Russian origin after the EP condemned the war in Ukraine. Nonetheless, upcoming regulations aim to improve the response mechanism. By October, EU member states will have to transpose the Network and Information Security Directive 2 (NIS2), the EU's cybersecurity rules related to critical entities. The rules, proposed by the European Commission in 2020 replace the old NIS directive dating back to 2016. Public administrations, as well as other sectors such as energy companies, cloud computing providers, water management companies, will fall under the scope of the rules making them socalled critical sectors.
This means that companies from any of these sectors that are subject to a cybersecurity incident will have 24 hours from when they first become aware of the incident to submit a warning to a national authority. Euronews reported in March that only a few countries have started implementing the rules into their national rulebooks