Following the Cybersecurity Service for the EU institutions, bodies, offices, and agencies (CERT-EU) final report concluding the investigation of the cyberattack on CEPOL IT infrastructure, Agency has been notifying relevant data subjects whose personal data were breached. Starting in October 2024, until 31 December 2024, over 97 000 notifications were sent to people whose personal data were processed in the 31 processing activities identified as high risk in the context of the data breach were contacted via email. All activities were performed in compliance with the European Data Protection Supervisor’s order and close cooperation with the EDPS.
Most of the data subjects in CEPOL’s activities were participants of onsite and online training organised by CEPOL: Law Enforcement Education platform (LEEd), exchange prorammes, knowledge centres, science and research activities, Human Resource matters and international cooperation projects. Each person, including training participants, experts, trainers, and applicants, received an individual email. 7 600 out of those people were notified by the International Cooperation Unit. Over 5 400 notifications were sent to data subjects of HR processes, e.g., traineeships, recruitment, as well as financial transactions and travel arrangements.
In addition to the background information on the cyberattack and following investigations, the notifications included information on the types of personal data that may have been affected, the extent of their personal data that should be considered compromised, recommendations of actions that they might want to undertake to minimise the potential adverse effects which might stem from this data breach, and the mitigation measures undertaken by CEPOL.
More information on the data processing operations is available here .
What’s next?
While the Cybersecurity Service for the EU institutions, bodies, offices, and agencies (CERT-EU) have completed their investigation on the cyberattack on CEPOL, the criminal investigation launched by Hungarian law enforcement, supported by Europol, is ongoing.
Shall any new information be relayed; it will be published on CEPOL’s website. All data subjects are welcome to check for any updates, as no systematic email will be sent out in the future.
The Data Protection Officer can be contacted at dpo(at)cepol.europa.eu.
The recommendations to the data subjects:
Some suggested steps which were recommended as preventive measures and remedies include:
- Resetting the password on any email account used in communication with CEPOL, especially if that email address is also used for other applications;
- Applying, wherever possible, multi-factor authentication;
- If financial data were affected, alerting banks and fiscal authorities;
- Being prudent when receiving a message from an unknown sender or from an account which might be pretending to be CEPOL;
- Informing your inner circle of people and asking them to be careful about any suspicious event;
- In case of an adverse effect materialising, contacting the relevant local law enforcement authority.
Background information:
You can read the update to all data subjects here .
You can read the first data breach notification to the LEEd users here .
Related Tags
