Personal data of nearly 100,000 individuals that have participated in trainings organized by CEPOL, the European Union (EU) Agency for Law Enforcement Training, has potentially been compromised due to the cyberattack suffered by the agency in May 2024.
“Starting in October 2024, until 31 December 2024, over 97 000 notifications were sent to people whose personal data were processed in the 31 processing activities identified as high risk in the context of the data breach were contacted via email,” the agency shared on Friday.
“Most of the data subjects in CEPOL’s activities were participants of onsite and online training organised by CEPOL: Law Enforcement Education platform (LEEd), exchange programmes, knowledge centres, science and research activities, Human Resource matters and international cooperation projects.”
Data compromised in EU CEPOL breach could be misused in various ways
CEPOL is based in Budapest, Hungary, and its purpose is to strengthen cooperation among law enforcement bodies and improve security in the EU by enhancing the skills and knowledge of police officers, border guards, customs officials, and other law enforcement personnel. The agency works closely with Europol (law enforcement), Eurojust (criminal justice cooperation), Frontex (border management), and other EU agencies to achieve its goals.
In July 2024, the agency shared that an investigation had been launched after abnormal activity in CEPOL IT system was detected, and that its LEEd platform – (ideally) accessible only to members of the law enforcement community – had also been breached. (The CEPOL IT infrastructure and the LEEd platform have been subsequently shut down and rebuilt in a new, secure IT environment.)
In late November, they confirmed that “all data processed by CEPOL—including personal data—should be considered as compromised by the threat actor.” This data includes users’ name, email address, phone number, rank/title, organizations, country, professional qualifications, gender, etc.
“There are many potential adverse effects which might stem from this data breach,” the agency said at the time, and advised users to be on the lookout for and to report the misuse of the data for tailored scams, framing for (illegal) activities, blackmailing, cyber harassment, and so on.
They also urged them to reset the password on any email account used in communication with CEPOL, enable multi-factor authentication, and inform their inner circle of people and ask them to be careful about any suspicious event.
Threat actors targeting law enforcement agencies
While CERT-EU has completed the investigation into the cyberattack, the criminal investigation by Hungarian law enforcement is still in progress.
Various platforms belonging to EU law enforcement institutions and agencies – including Europol – have been breached last year and the stolen data reportedly sold on hacker forums by the cybercriminals outfit IntelBroker.
Another threat actor (“USDoD”) claimed to have gained access to FBI’s InfraGard, CEPOL’s LEEd, and NATO’s Cyber Security Centre platforms.
A person suspected of being behind that moniker has been arrested in October 2024 by the Brazilian federal police.