Vienna (Austria): A non-profit on Thursday said it had lodged two complaints accusing the European Parliament of compromising employees' personal data as a result of a massive cyberattack earlier this year. The complaints were filed with the European Data Protection Supervisory by Noyb ("None of Your Business"), an organisation that has initiated several court proceedings over the enforcement of European data protection laws since 2018.
They follow a "massive data breach" that the European Parliament told its staff in May that it had suffered earlier in the year. The cyberattack affected the parliament's recruiting platform, which contained personal data of more than 8,000 staff, according to Noyb. "Parliament only found out about the breach months after it happened, and still doesn’t seem to know the cause", Noyb said in a statement announcing that it had lodged the complaints on behalf of four employees.
"This is particularly worrying as the Parliament has long been aware of vulnerabilities in its cybersecurity system", it said. The Vienna-based privacy campaign group has asked that the institution be fined over jeopardising its staff members' right to privacy. The breached files, which included marriage certificates, contained "specially protected sensitive data", such as employees' sexual orientation, religion, ethnicity and political views, according to Noyb.
"The Parliament has an obligation to ensure proper security measures, given that its employees are likely targets for bad actors," Mendiguren said. Following the breach, the Parliament denied a request by one complainant who had not worked there for several years to erase their personal data.
The legislative body retains unnecessary documents for far too long -- 10 years -- which does not comply with the EU's landmark General Data Protection Regulation (GDPR) data minimisation and retention requirements, said Noyb. The Parliament's IT department in November 2023 said the body had "not yet met industry standards" and that existing measures were "not fully in-line with the threat level" posed by state-sponsored hackers, Noyb added.
The parliament's website was attacked by Russian hackers in November 2022, according to the nonprofit. Two MEPs and a staff member in February 2024 also found Israeli spyware on their devices.
