Noyb has filed two complaints against the European Parliament over a massive data breach that impacted the personal data of over 8,000 staff members.
Noyb, a non-profit organization otherwise known as ‘none of your business,’ has filed complaints against the European Parliament after a recruitment portal called ‘PEOPLE’ was breached.
Attackers accessed sensitive data, including ID cards, passports, criminal records, residence documents, and even marriage certificates that included the victim’s sexual orientation.
According to noyb, to apply for a job in the European Parliament, you must register to a recruitment platform called PEOPLE, where you must provide information about yourself.
This includes “heaps of personal data,” including ID cards, passports, residence and education documents, criminal records, and marriage certificates.
The breach itself happened earlier this year and was discovered on April 25th. It’s still unknown whether it was the result of hacking or another vulnerability.
On April 26th, 2024, the European Parliament made former and current employees aware that “every single document…uploaded to PEOPLE (had) been compromised.”
“At the time of filing this complaint, it is still unclear how long the attackers were able to access the personal data of the applicants,” noyb said.
Those affected were asked to change their IDs and passports “as a precautionary measure.”
Noyb claims that the Parliament has “long been aware of cybersecurity vulnerabilities.” In November 2023, a cybersecurity review revealed that the organization’s cybersecurity did not meet industry standards.
Furthermore, the non-profit states that the European Parliament isn’t complying with the GDPR’s data minimization and retention requirements.
According to noyb, the EU GDPR requires European institutions to only process data that is “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
However, the European Parliament holds these recruitment files for 10 years.
“This is even more worrying when you consider that these files also contain specially protected sensitive data…which can reveal people’s ethnicity, political opinions, religious beliefs, or sexual orientation,” noyb says.
Noyb has filed two complaints with the European Data Protection Supervisor (EDPS) on behalf of employees within the European Parliament.
The non-profit also suggests that the EDPS imposes an “appropriate administrative fine to prevent similar violations in the future.”
Your email address will not be published. Required fields are markedmarked