ShadowMapTech, an Indian cyber intelligence company, revealed last week it has identified a massive data leak at the European Parliament. The incident, according to the firm, compromised personal data of more than a thousand staff and members of the institution.
In a tweet dated May 15, ShadowMap founder Yash Kadakia revealed that the leak included data and passwords of over 200 members of the European Parliament, European Council and European Commission. Along with those, personal info of another 1000+ staff of the European Parliament has also been impacted.
“The data also includes 15,000+ users including journalists, members of a number of political parties and institutions,” Mr. Kadakia added.
“It also includes members of several European Union Institutions like the Europol, European Data Protection Supervisor, EUIPO, Frontex, etc.”
A spokesperson for the European Parliament, however, denies the claim, saying no Parliament account had been compromised.
“We have been informed about these allegations. The possible incident has been looked into and we can confirm no official accounts or mailboxes of the European Parliament are involved,” the spokesperson explained.
“This information may be related to an old service account of a political group.”
Despite this, Mr. Kadakia, however, told the Daily Express that a breach had definitely occurred and provided further details of the alleged leak, saying that the compromised data uses at least 2000 official accounts.
“I can confirm that there are at least 2000 [compromised] emails that use the http://europa.eu domain,” he explained.
“The website itself was also hosted on a subdomain of http://europa.eu.”
Marcel Kolaja, vice-president of the European Parliament’s IT policy, however, argued that while the database was from a subdomain of “europarl.eu” – which serves as the parliament’s official site, it was not hosted by the institution.
“The system in question is a system run by one particular political group and it was data by that political group and they were immediately made aware of that incident,” he said in an interview with POLITICO.
“Even in the case that the people who were subscribed to our website in 2018 used the same password that they had in their e-mails at that time, nothing can happen to them now because in the Parliament the system forces you to change completely your password every three months,” he added.
Among the details discovered by Kadakia and his team included passwords, job descriptions, and other personal information of the impacted individuals who are serving in the Parliament.