Identity cards, passports, extracts from criminal records and work experience documents were among the personal data of European Parliament staff exposed in a data breach, according to an internal email sent on Wednesday (22 May) and seen by Euractiv.

The European Parliament informed its staff of a data breach in the recruitment app PEOPLE, which is used to recruit non-permanent staff, Euractiv reported on 6 May.

The breach took place in early 2024 and was confirmed on April 25 by Kristian Knudsen, a general manager, in an email.

On Wednesday (May 22), a new email sent by the PEOPLE app team and seen by Euractiv detailed to individual employees which documents uploaded to the PEOPLE app were compromised. In the emails seen by Euractiv, almost all of the uploaded documents were said to have been hacked.

“After analysis, all active and inactive users received detailed information on 22/05, in accordance with the recommendation of the European Data Protection Supervisor (EDPS),” a Parliament spokesperson told Euractiv.

Former Parliament employees were also notified by email that some of their personal data was affected, sources told Euractiv. In some cases, this included data that was no longer up to date.

It is not yet known whether the breach was the result of hacking or another cause. The representative of the Parliament did not respond to Euractiv’s question on May 23 about the number of people who fell victim to this breach.

The PEOPLE app, an HR tool, was disabled after the data breach. Staff were advised to change all passwords and be wary of suspicious messages.

The EDPS and the Luxembourg national authority are still investigating the breach.

The affected documents also concern the certificate of marital status, residence and residence, education or experience, military obligations, responsible declarations, documents for the establishment of individual rights and contracts.

Parliament’s cyber security experts and the Luxembourg police are “continuing to carry out an in-depth analysis in order to clarify all the circumstances under which the breach took place,” the Parliament spokesman added.

“The PEOPLE app is in the process of being secured and will be back online soon,” the email said.

However, those who are no longer in the hiring process cannot access their account.

Interested workers

“Our identities can effectively be stolen and our data misused,” wrote Dávid Kardos, accredited parliamentary assistant to MEPs Anna Donáth and Katalin Cseh in an email to the Committee of Accredited Parliamentary Assistants (APA) sent on May 23 and saw Euractiv.

The APA also expressed its displeasure at the lack of adequate information about the data breach and potential investigation, as well as the lack of advice from Parliament on how employees can secure their data.

They asked to know why “not a single recommendation was offered”, if they need to change their identity documents and how to handle the unchanged data.

In his email, Kardos questioned the late notification of the leak, which occurred earlier this year, and asked about any ongoing investigations and possible suspects, including whether there was a possibility of third-party involvement.

“I wonder why they mentioned it now, when the parliamentary term is already over,” he told Euractiv.