In a data leak in the EU Parliament, personal data of more than 8,000 current and former employees was accessed. The European Center for Digital Rights has therefore now submitted two complaints to the European Data Protection Supervisor.
In May 2024, the EU Parliament informed its employees about a massive data leak in the recruiting platform “PEOPLE”. However, the data breach had already occurred several months earlier.
Criminals had access to sensitive data from more than 8,000 current and former employees. NOYB, the European Center for Digital Rights, has therefore now two complaints submitted to the European Data Protection Supervisor (EDPS) on behalf of four parliamentary staff.
Data leak in the EU Parliament makes sensitive data vulnerable
If you want to apply for a job at the European Parliament, you must first register on the “PEOPLE” recruiting platform. During the registration process, interested parties must then provide numerous personal details.
But they also have to upload documents here. These include ID cards and passports as well as residence and educational documents. But applicants also provide criminal records and marriage certificates here.
But it was precisely at this point in the application process that an enormous data leak occurred at the EU Parliament. On April 26, 2024, the EU Parliament informed the European Data Protection Supervisor about the data breach.
Employees were then informed at the beginning of May. But the data breach happened several months ago. However, according to NOYB, it is still not clear to this day exactly when the data was accessed and how it came about.
However, the EU Parliament informed its staff that all documents uploaded to “PEOPLE” had been compromised. That is why Parliament also recommended that passports and ID cards be renewed. Parliament will cover the resulting costs.
IT vulnerabilities are not new at EU level
But according to NOYB, this incident is hardly surprising. Because Parliament has “long been aware of vulnerabilities in its own cybersecurity”.
“This data breach follows a series of cybersecurity incidents in EU institutions last year,” explains Lorea Mendiguren, data protection lawyer at NOYB. “Parliament is obliged to take appropriate security measures. After all, employees are a popular target for malicious actors.”
As early as November 2023, the IT department of the EU Parliament came to a sobering conclusion after examining its own systems. The company’s own cybersecurity “does not yet meet industry standards,” the report said.
Risks posed by state-sponsored hackers would “not fully correspond to the threat level” due to the existing measures.
“As an EU citizen, it is worrying that the EU institutions are still so vulnerable to attacks,” complains Max Schrems, chairman of NOYB. “Having such sensitive information in circulation is not just frightening for those affected. It can also be used to influence democratic decisions.”
Data leak in the EU Parliament: NOYB files two complaints
Due to the incidents, NOYB has now submitted two complaints to the European Data Protection Supervisor on behalf of four employees. According to NOYB, the EU Parliament appears to be violating Articles 4(1)(c) and (f) as well as 33(1) of the EU GDPR.
The EU Parliament must bring its data processing into line with the GDPR regulations. These provide, for example, principles for data minimization and storage limitation.
EU institutions may only process data that is “appropriate and relevant to the purpose and limited to what is necessary for the purposes of the processing”. Nevertheless, the retention period for the recruiting platform is ten years.
Particularly sensitive data is also contained here. These can provide information about sexual orientation, ethnicity or political beliefs. This means that this is particularly protected data in accordance with Article 9 of the EU GDPR.
Also interesting:
- Data protection: You have to keep this in mind when it comes to children’s photos on the internet
- Monitoring through AI: Germany needs an employee data protection law
- Telegram: New SMS function is an absolute data protection nightmare
- EU Commission violates EU data protection guidelines
The article Data leak in government software: Employees sue the EU Parliament by Maria Gramsch first appeared on BASIC thinking. Follow us too Facebook, Twitter and Instagram.
As a Tech Industry expert, I am deeply concerned about the data leak in government software that has resulted in employees suing the EU Parliament. Data leaks in government software can have far-reaching consequences, including compromising sensitive information, violating privacy laws, and eroding public trust in government institutions.
It is crucial for government agencies to prioritize data security and implement robust measures to prevent data leaks. This includes regularly updating software, conducting thorough security audits, and providing comprehensive training to employees on how to handle sensitive information.
The fact that employees are suing the EU Parliament over this data leak underscores the seriousness of the situation. Government agencies must be held accountable for safeguarding the data they collect and ensuring that it is not compromised in any way.
Moving forward, it is imperative that government agencies take proactive steps to enhance data security and prevent future data leaks. This incident serves as a stark reminder of the importance of prioritizing cybersecurity in all aspects of government operations.
Credits