Update on the notification of a data breach in accordance with Article 35 of Regulation (EU) 2018/1725

Following the cyberattack on the EU Agency for Law Enforcement Training (CEPOL) earlier this year, both the Cybersecurity Service for the EU institutions, bodies, offices, and agencies (CERT-EU) and the Hungarian law enforcement, supported by Europol, launched investigations. CERT-EU have completed theirs. While they could not conclusively determine all the actions carried out by the threat actor within CEPOL’s network and IT infrastructure, it concluded that the CEPOL IT environment was heavily impacted. Therefore, all data processed by CEPOL—including personal data—should be considered as compromised by the threat actor.

We sincerely apologise for any distress this might have caused. We are also doing everything to mitigate the situation. We have been closely cooperating with and receiving support from relevant actors at the EU level, including the European Data Protection Supervisor, in order to comply with the relevant requirements laid down by EUDPR regarding data breaches.

Following the notification of a data breach related to LEEd platform users published in July, we are updating the notification to all data subjects, which includes data subjects in all data processing activities. We are also in the process of sending individual notifications detailing the types of personal data that were being processed and should be considered as compromised.

CEPOL will continue to monitor the situation and inform if any additional information is made available. Should any further questions regarding the personal data breach arise, please contact CEPOL’s Data Protection Officer: dpo(at)cepol.europa.eu.

Notification of a data breach in accordance with Article 35 of Regulation (EU) 2018/1725  

1. Background of the personal data breach

On 30 May 2024, abnormal activity in the CEPOL IT systems was detected. Upon detection, this incident was immediately reported to the competent Cybersecurity Service for the EU institutions, bodies, offices and agencies (CERT-EU). This triggered an investigation of the cyberattack by CERT-EU, while the Hungarian law enforcement authorities, supported by Europol, launched a criminal investigation. 

CERT-EU’s investigation could not conclusively determine all the actions carried out by the threat actor within CEPOL’s network and IT infrastructure; however, it concluded that the CEPOL IT infrastructure was very heavily impacted and that all data within CEPOL’s environment should be considered as compromised. 

2. Personal data affected 

• Personal data processing activities may include:
• Contact data, including the name, email address, and phone number.
• Professional data, including a rank/title, organisation, country, and professional qualifications.
• Other information includes gender, nationality, and dietary requirements.

More information on the data processing operations is available here: Data protection | CEPOL (europa.eu).

3.  Recommendations

There are many potential adverse effects which might stem from this data breach. Although we currently do not have concrete proof of this happening, you need to be alert for: 

• Scamming (generic to somewhat tailored scams; phishing; smishing; “spear” phishing; social engineering); 
• Unauthorised use of personal information (acquiring funds or goods; framing for (illegal) activities; acquiring more personal information); 
• Leaking; Blackmailing; (Cyber) harassment (exploiting (sensitive) information which might lead to reputational damage, psychological distress, financial damage, sense of loss of control). 

In case of an adverse effect materialising, contact the relevant local law enforcement authority.

Some suggested steps which you may consider as preventive measures and remedies include: 

• Resetting your password on any email account used in communication with CEPOL, especially if that email address is also used for other applications;
• Applying, wherever possible, multi-factor authentication; 
• Being prudent when receiving a message from an unknown sender or from an account which might be pretending to be CEPOL; 
• Informing your inner circle of people and asking them to be careful about any suspicious event.

In case of receiving email from an unknown sender, we recommend practicing vigilance by checking any links before clicking (either hover the link with your mouse or go directly to the sender’s website to confirm the information received via email/SMS/Messenger).

4.  Mitigation measures undertaken to reduce potential adverse effects 

Upon the realisation of the severe impact of the cyberattack, the entirety of the CEPOL IT infrastructure was shut down swiftly, in line with recommendations from CERT-EU, and has since been rebuilt in a new and secure environment, hosted by DG DIGIT.  

CEPOL has been closely cooperating with and receiving support from relevant actors at the EU level such as CERT-EU and the European Data Protection Supervisor in order to comply with the relevant requirements laid down by Regulation (EU) 2018/1725.  

The Data Protection Officer can be contacted at dpo(at)cepol.europa.eu.