noyb files two complaints against EU Parliament over massive data breach

Data Security
 /  22 August 2024

In early May 2024, the European Parliament informed its staff of a massive data breach in the institution’s recruiting platform (called “PEOPLE”). The breach affected the personal data of more than 8,000 staff. This included ID cards and passports, criminal record extracts, residence documents and even sensitive data such as marriage certificates that reveal a person’s sexual orientation. The Parliament only found out about the breach months after it happened, and still doesn’t seem to know the cause. This is particularly worrying as the Parliament has long been aware of vulnerabilities in its cybersecurity system. EU institutions are naturally high up on the list of hackers and foreign adversaries. noyb has now lodged two complaints with the European Data Protection Supervisor on behalf of four parliament employees.

Picture of the EU Parliament's plenary hall in Brussels, Belgium

The data of all applicants in one place. Before you can apply for a job at the European Parliament, you have to register on its recruitment platform PEOPLE. There, applicants provide the institution with heaps of personal data. This includes ID cards and passports, residence and education documents, and also sensitive data such as criminal record extracts and marriage certificates that can reveal your sexual orientation. This makes it all the more important that the EU Parliament takes appropriate security precautions to protect this data from being accessed by third parties.

Thousands affected by data breach. On 26 April 2024, the EU Parliament informed the European Data Protection Supervisor (EDPS) of a massive data breach in PEOPLE, affecting more than 8,000 current and former employees. It is still unclear when and how the data breach actually occurred, but those affected have been told that every single document they uploaded to PEOPLE has been compromised. On 31 May, the Parliament advised the people concerned to replace their IDs and passports as a precautionary measure and offered to reimburse them for the costs. At the time of filing this complaint, it is still unclear how long the attackers were able to access the personal data of the applicants.

Lorea Mendiguren, Data Protection Lawyer at noyb: “This breach comes after repeated cybersecurity incidents in EU institutions over the past year. The Parliament has an obligation to ensure proper security measures, given that its employees are likely targets for bad actors.”

Known cybersecurity vulnerabilities. This incident is particularly worrying, because the Parliament has long been aware of cybersecurity vulnerabilities: In November 2023, the Parliament’s IT department conducted a cybersecurity review – and concluded that the institution’s cybersecurity “has not yet met industry standards” and that existing measures were “not fully in-line with the threat level” posed by state-sponsored hackers. Not only that, but the PEOPLE breach occurred alongside a number of other cyberattacks on EU institutions. Russian hacking groups attacked the Parliament’s website in November 2022 and numerous European governments in autumn 2023. In February 2024, the Parliament suffered a different breach in its security and defence subcommittee, when two MEPs and a staff member found Israeli spyware on their devices.

Max Schrems, Chairman of noyb: “As an EU citizen, it is worrying that EU institutions are still so vulnerable to attacks. Having such information floating around is not only frightening for the individuals affected, but it can also be used to influence democratic decisions.”

Much more data than necessary. The data breach also reveals that the Parliament isn't complying with the GDPR's data minimisation and retention requirements. Article 4(1)(c) EU GDPR requires EU institutions to only process data that is “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. Nevertheless, the EU Parliament’s retention period for recruitment files is 10 years. This is even more worrying when you consider that these files also contain specially protected sensitive data under Article 9, which can reveal people’s ethnicity, political opinions, religious beliefs or sexual orientation. In this case, a complainant uploaded a copy of her marriage certificate to the portal. This made it possible to determine her sexual orientation.

Max Schrems, Chairman of noyb: “The breach also shows that just getting rid of personal data in time could likely have limited the impact of the breach.”

Two complaints with the EDPS. noyb has now filed two complaints with the European Data Protection Supervisor (EDPS) on behalf of employees. The EDPS is the authority responsible for data protection violations by EU institutions. The EU Parliament appears to have breached Articles 4(1)(c) and (f) and 33(1) of the EU GDPR. Additionally, in one complainant’s case, the Parliament refused an erasure request made after the breach, citing the 10 year retention period, despite the complainant’s concerns given the breach and fact that they had not worked there for several years. noyb requests the EDPS to use its corrective powers to order the Parliament to bring its processing into compliance. In addition, noyb suggests that the EDPS impose an appropriate administrative fine to prevent similar violations in the future.

  翻译: