The privacy watchdog “None of Your Business” (Nyob) said on Thursday it had lodged two complaints accusing the European Parliament of compromising employees’ personal data as a result of a massive cyberattack earlier this year.
Nyob, a non-profit organization that has initiated multiple court proceedings since 2018 regarding the enforcement of European data protection laws, filed the complaints with the European Data Protection Supervisor.
The complaints stem from a significant data breach, when the European Parliament’s recruiting platform, “PEOPLE,” was targeted by a cyberattack. The breach exposed the personal data of over 8,000 staff members.
Nyob said in a statement:
The Parliament only found out about the breach months after it happened, and still doesn’t seem to know the cause. This is particularly worrying as the Parliament has long been aware of vulnerabilities in its cybersecurity system.
The Vienna-based privacy campaign group has asked that the institution be fined over jeopardizing its staff members’ right to privacy.
Among compromised files were sensitive documents such as ID cards, passports, criminal record extracts, residence permits, and marriage certificates. The breach could also have accessed “specially protected” data, including employees’ sexual orientation, religion, ethnicity, and political views.
“The Parliament has an obligation to ensure proper security measures, given that its employees are likely targets for bad actors,” said Lorea Mendiguren, Data Protection Lawyer at Noyb.
After the breach, the Parliament refused a request from a complainant, who hadn’t worked there for several years, to delete their personal data.
According to Noyb’s complaint, the legislative body’s practice of retaining unnecessary documents for ten years violates the EU’s General Data Protection Regulation (GDPR), which mandates data minimization and limited retention. Max Schrems, chairman of Noyb, stated that if the Parliament had deleted personal data in a timely manner, the impact of the breach could have been significantly reduced.
In November 2023, the EU Parliament’s IT department said the body had “not yet met industry standards” and that existing measures were “not fully in-line with the threat level” posed by state-sponsored hackers, Noyb added.
A year earlier, the parliament’s website was attacked by Russian hackers, according to the nonprofit. And in February this year, the Parliament suffered a different breach in its security and defence subcommittee, when two MEPs and a staff member found Israeli spyware on their devices.
Noyb chairman Schrems said in a statement,
As an EU citizen, it is worrying that EU institutions are still so vulnerable to attacks. Having such information floating around is not only frightening for the individuals affected, but it can also be used to influence democratic decisions.
