Tech

EU Parliament says sensitive data of 1,200 officials left exposed on web

Information about more than a thousand staff and members of the European Parliament has been exposed in what a key lawmaker called a “major data breach.”

The data includes 1,200 accounts of elected officials and staff, along with another 15,000 other accounts of EU affairs professionals, Marcel Kolaja, the Parliaments vice president for IT policy, confirmed to POLITICO on Saturday.

The exposed information — “a huge amount of data” — includes sensitive information and encrypted passwords, he added.

It comes from a system that had been run under the European Parliaments official “europarl.eu” domain, Kolaja said, but the data had not been hosted by the institution itself.

“The system in question is a system run by one particular political group and it was data by that political group,” Kolaja said, “and they were immediately made aware of that incident.”

“This data has been online for some time now” — Yash Kadakia, founder of Indian cybersecurity company Shadowmap

Kolaja declined to say which political group was affected. But information seen by POLITICO about the affected server suggested that it is the European Peoples Party (EPP), the largest political faction in the Parliament.

EPP group spokesperson Pedro López de Pablo confirmed in an email that a database containing email addresses and passwords had been exposed.

However, he added, that database was outdated and only contained information “used by the people who [were] subscribed to our old website back in 2018.” That website is no longer in use after the group launched a new website in January 2019, López de Pablo said.

Both the EPPs “servers and the current database have not been exposed,” López de Pablo wrote.

“Even in the case that the people who were subscribed to our website in 2018 used the same password that they had in their e-mails at that time, nothing can happen to them now because in the Parliament the system forces you to change completely your password every three months,” he added.

He added that the EPP was “currently verifying the list of emails to inform all the people, following [European data protection] rules.”

This is serious

The security breach was first revealed Friday by Indian cybersecurity company Shadowmap, whose founder Yash Kadakia told POLITICO that it had discovered files containing data like passwords, job descriptions and other personal information via an internet portal thats part of the Parliaments domain and used by its officials.

The unprotected data also includes information of thousands of people with links to political parties and institutions, including members of EU agencies and authorities like law enforcement agency Europol, the European Data Protection Supervisor, border agency Frontex and others, Kadakia said.

A spokesperson of the European Commission, the blocs executive body, said in an email on Saturday that “a large number of users [were] affected, including some users from the Commission.”

Kadakia flagged the issue to the Parliaments Computer Emergency Response Team on Friday. His company found the data when scanning the internet for unprotected and leaked datasets, which it does as parRead More – Source