EU Justice Commissioner Didier Reynders, Luxembourg Prime Minister Xavier Bettel and dozens of EU officials have all been caught up in a Facebook data leak that was released onto a public forum and is circulating widely.
Their data was part of the 533 million records including phone numbers, Facebook IDs, full names and birthdates that was discovered on Saturday and is circulating on online forums for free.
A dataset of Belgian and Luxembourgish victims seen by POLITICO also contained phone numbers of dozens of EU officials, including European Commission cabinet members, EU diplomats and staff. POLITICO verified the authenticity of several officials’ details — including reaching Reynders and Bettel directly on their phones — on Tuesday.
When contacted by POLITICO, Bettel said he was aware that his details had appeared online.
Germany’s chief federal privacy regulator Ulrich Kelber also suggested on Twitter he received scam messages as a consequence of the leak.
The European Commission did not immediately respond to a request for comment.
The EU’s Cyber Emergency Response Team (CERT-EU) is investigating the impact the breach may have on EU institutions and their work.
You could be next
In the wake of the incident, experts warned that phone numbers could open up victims to all kinds of cyberattacks.
One common way for hackers to misuse the data is a technique known as “smishing” and involves a cybercriminal or hacker trying to lure victims into clicking on links or responding to requests in text messages.
“Smishing messages already increasing by 300 percent each quarter over the past 12 months,” Jacinta Tobin, executive at cybersecurity firm Proofpoint, said in a statement. “Consumers trust mobile messaging, and they are much more likely to read and access links contained in text than those in email,” she added.
If politicians’ or public figures’ mobile numbers are widely available, “it could make those people vulnerable to immediate threats such as SIM swap attacks,” said Jake Moore, cybersecurity specialist at Slovak firm ESET. SIM swapping is a technique in which hackers convince telecoms operators to switch a phone number to a new SIM card so they get a user’s text messages, and the user doesn’t. Hackers could gain access to bank accounts, email and social media accounts by prompting an app to send a text message to log in.
To prevent getting hacked, using additional security measures is key, experts advised, “especially if you are a potential high-profile target like someone in the media or a politician,” said Moore, pointing to two-factor authentication using mobile authenticator apps and using unique, long passwords.
The EU’s own cybersecurity experts also called on colleagues to check if they were a victim of the attacks.
A spokesperson at the European Union’s Cybersecurity Agency (ENISA) said the agency advised officials to check if they were a victim on websites like HaveIBeenPwned.
In case information leaked, the spokesperson said to watch out for suspicious text messages as well as “a sudden loss of the carrier service” on a mobile device, which would indicate hackers are trying to gain access to other online accounts.
The leaked Facebook data was found by Alon Gal of the cybercrime intelligence firm Hudson Rock over the weekend. Regulators are investigating whether Facebook breached privacy rules when it suffered the data breach.
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial.