The European Parliament has been hit by a "major data breach" | European Union
The information includes sensitive information and encrypted passwords.
Information about more than a thousand staff and members of the European Parliament has been exposed in what a key lawmaker called a "major data breach."
The data includes 1,200 accounts of elected officials and staff, along with another 15,000 other accounts of EU affairs professionals, Marcel Kolaja, the Parliament's vice president for IT policy, confirmed to POLITICO on Saturday.
The exposed information — “a huge amount of data” — includes sensitive information and encrypted passwords, he added.
It comes from a system that had been run under the European Parliament’s official "europarl.eu" domain, Kolaja said, but the data had not been hosted by the institution itself.
“The system in question is a system run by one particular political group and it was data by that political group," Kolaja said, "and they were immediately made aware of that incident.”
“This data has been online for some time now” — Yash Kadakia, founder of Indian cybersecurity company Shadowmap
Kolaja declined to say which political group was affected. But information seen by POLITICO about the affected server suggested that it is the European People’s Party (EPP), the largest political faction in the Parliament.
EPP group spokesperson Pedro López de Pablo confirmed in an email that a database containing email addresses and passwords had been exposed.
However, he added, that database was outdated and only contained information "used by the people who [were] subscribed to our old website back in 2018." That website is no longer in use after the group launched a new website in January 2019, López de Pablo said.
Both the EPP's "servers and the current database have not been exposed," López de Pablo wrote.
"Even in the case that the people who were subscribed to our website in 2018 used the same password that they had in their e-mails at that time, nothing can happen to them now because in the Parliament the system forces you to change completely your password every three months," he added.
He added that the EPP was "currently verifying the list of emails to inform all the people, following [European data protection] rules."
'This is serious'
The security breach was first revealed Friday by Indian cybersecurity company Shadowmap, whose founder Yash Kadakia told POLITICO that it had discovered files containing data like passwords, job descriptions and other personal information via an internet portal that’s part of the Parliament’s domain and used by its officials.
The unprotected data also includes information of thousands of people with links to political parties and institutions, including members of EU agencies and authorities like law enforcement agency Europol, the European Data Protection Supervisor, border agency Frontex and others, Kadakia said.
A spokesperson of the European Commission, the bloc’s executive body, said in an email on Saturday that “a large number of users [were] affected, including some users from the Commission."
Kadakia flagged the issue to the Parliament’s Computer Emergency Response Team on Friday. His company found the data when scanning the internet for unprotected and leaked datasets, which it does as part of its cybersecurity services. “We end up picking up data that is lost to other people sometimes,” Kadakia said.
The risk, he said, was that the data had been found by hackers and could be used to access other websites and sensitive services.
“This data has been online for some time now,” he said.
“I’m assuming some subset of members of the European Parliament have used the same passwords,” he said. “If you’re able to access a whole bunch of systems, a whole bunch of information, as an attacker you can really get in there.”
By noon on Saturday, all affected data appeared to have been taken offline.
Parliament Vice President Kolaja, a trained software engineer, warned, "This is serious."
Although the passwords leaked in the data breach had been encrypted using a technique known as “hashing,” which means that intruders cannot instantly use them to access other information, “with further cryptoanalysis of the data, it could definitely be abused,” he added.
“Given that we’re speaking about tons of data, it definitely now needs to be investigated if there was any breach of law,” he said.
Source: politico.eu