Looking at the response of the Vice-President of the European Parliament’s IT policy, it seems like GDPR only applies to others but not the lawmakers itself.
Data breaches in the European Union are subject to a law named the General Data Protection Regulation (GDPR). While usually, you have firms that would comply with them seeing the power of the regulatory authorities and hefty fines, what happens when those that are the lawmakers get caught under the grasp of the act in itself? Let’s find out.
Recently, ShadowMapTech, an Indian cyberintelligence company discovered a data breach at the European Parliament. Its founder took to Twitter to reveal their findings in a series of tweets.
Our @ShadowMapTech platform has identified a massive data leak at the European Parliament.
This includes data & passwords of 200+ members of the European Parliament, European Council and European Commission.
Also impacts 1000+ members of staff at the European Parliament.
— Yash Kadakia 🇺🇦 (@yashkadakia) May 15, 2020
In addition to the above-mentioned numbers, the breach also included journalists, politicians, and members of several EU institutions such as Europol, European Data Protection Supervisor, EUIPO, and Frontex marking the total number of compromised users to over 15000.
A snippet of the data as seen in the above photo shows that among other data, the database contained it following records:
- User IDs
- Encrypted passwords
- Email addresses
However, the disappointing aspect is the reaction of the European Parliament in itself. Marcel Kolaja, its vice-president of IT policy replied to the tweet that first revealed the incident with an absolute denial as shown below.
Thank you, @yashkadakia, for your white hat report! The leak is not related to a system run by any EU institution and does not contain EU institution data. Those in charge of the system were contacted immediately. Kudos to DG ITEC for a prompt response!https://t.co/Eh8tUWBJkn
— Marcel Kolaja (@PiratKolaja) May 16, 2020
His reasoning was that although the database was from a subdomain of “europarl.eu” – their official site, it was not hosted by the European Parliament. Talking to Politico, he detailed the position of the institution stating that,
The system in question is a system run by one particular political group and it was data by that political group and they were immediately made aware of that incident.
Marcel didn’t name the group, but Politico believes that it may be the European People’s Party (EPP) which holds the majority in parliament. To add evidence to this are the statements of one of the party’s representatives to Politico in an email who has stated that the data exposed is of 2018 from their old website and hence does not pose a threat any longer now that they have a new website. Explaining further, he expressed the notion that,
Even in the case that the people who were subscribed to our website in 2018 used the same password that they had in their e-mails at that time, nothing can happen to them now because in the Parliament the system forces you to change completely your password every three months.
Clarifying the technicalities of the database’s structure, Yash further explained on Twitter that the subdomain “was hosting Drupal and backup scripts (with exposed configurations) but the actual backups themselves were hosted on a third party.”
The big question here remains if the European Parliament itself can react to potential GDPR breaches by denying any ownership of the data, what would prevent others from following suit? They are clearly setting a bad precedent here.
However, Yash again clarified the legal accountability this would pose replying to this specific claim in the debate that ensued on Twitter in the comments section.
GPDR actually regulates information based on the concept of data originator. So it wouldn't matter if a subcontractor led the breach as long the user gave data to you.
— Yash Kadakia 🇺🇦 (@yashkadakia) May 18, 2020
To conclude, even though the data may not pose any harm in terms of the party’s members, other exposed people are at risk, especially the various journalists whose privacy becomes all the more important due to the nature of their profession.
Further, it is important to remember that this breach is more than just any normal breach, it leaves us hanging to re-answer a major question, can powerful institutions evade the grasps of the very regulations that they have supported by using such excuses? We hope to find out soon enough since it is yet to be seen if all 15000+ compromised users will be notified in line with GDPR guidelines.