Notification of a data breach related to LEEd platform

Notification of a data breach in accordance with Article 35 of Regulation (EU) 2018/1725 addressed to the LEEd platform users

1. Background of the personal data breach

On 30 May 2024, abnormal activity in CEPOL IT system was detected. Upon detection, this incident was immediately reported to the competent Cybersecurity Service for the EU institutions, bodies, offices and agencies (CERT-EU). On 7 June, CEPOL informed promptly about the cyber incident on its website.

In terms of the investigative measures taken so far, a full investigation has been launched. CERT-EU is investigating the cyberattack and the Hungarian law enforcement authorities have launched a criminal investigation that is supported by Europol. Recently, it has been established that the LEEd platform also has been breached. However, there is no evidence of data exfiltration. The investigations are still ongoing, and the information provided will be updated according to further developments.

2. Personal data processing activities potentially affected

Personal data processing activities in LEEd platform are linked to

• the participants and trainers training registration
• management and planning of training activities, including the CEPOL Exchange programme.

More information on the data types related to the LEEd platform data processing activities, is available here: Data protection | CEPOL (europa.eu).

At this stage, CEPOL has no information about the personal data effectively accessed and potentially compromised.

3. Mitigating measures undertaken to reduce potential adverse effects on the LEEd users

Initial mitigation measures have been implemented to address the effects of the incident affecting the LEEd platform:

• To prevent any damages and mitigate possible adverse risks, the LEEd platform has been closed temporarily from 18 June 2024. A new platform will be rebuilt in a new secure IT environment.
• A dedicated communication channel regarding the cyberattack has been setup. The LEEd users can reach out to CEPOL regarding the cyberattack via LEEd-help@cepol.europa.eu.

CEPOL has been closely cooperating with and receiving support from relevant actors at the EU level such as CERT-EU and the European Data Protection Supervisor in order to comply with the relevant requirements laid down by EU-GDPR[1] regarding data breaches.

Among the potential adverse effects stemming from the cyber incident envisaged at this stage are spamming and spear phishing attempts and a sense of loss of control on one’s personal data. Nevertheless, at this point in time, CEPOL has no definitive information about the personal data accessed and potentially compromised. Once CEPOL has further information on the consequences for the users of the LEEd platform, an updated communication will be published on our website.

4. Recommendations to users of the LEEd platform

Users of the LEEd platform should be cautious of any suspicious messages they may receive to their email accounts or in light of other contact details they provided on the LEEd platform. It is highly recommended for LEEd-users to change their password linked to the email address used for registration, especially if that email address is also used for other applications. Once the LEEd platform has been rebuilt and is back online, CEPOL recommends that registered users consider changing the password they have used for LEEd.

5. Data controllers and the Data Protection Officer

The data controllers of the LEEd platform are the Head of the EU Training Hub Unit and, in the case of activities related to capacity-building projects in third countries, the data controller is the Head of the International Cooperation Unit. They can be contacted for further information and guidance at LEEd-help@cepol.europa.eu.

The Data Protection Officer can be contacted at dpo@cepol.europa.eu.

6. Requests for further information

Updated information about the personal data breach will be published on this website and sent to National LEEd Managers once it is available. Further information can be requested by email at LEEd-help@cepol.europa.eu.