Over 700 pages full of sensitive files detailing various terrorism investigations spearheaded by crime-fighting agency Europol have reportedly been exposed online. The data, spanning from 2006 to 2008, was found on a hard drive connected to the internet without password protection.
According to Zembla, the Dutch television programme that uncovered the leak, the dossiers – which allegedly referenced 54 separate European investigations – were mishandled by a national police employee who brought them home against Europol policy.
The files included analysis of the Hofstad Network, the Madrid bombings and foiled attacks on airplanes with liquid explosives, Zembla said. They also featured "hundreds of names" and telephone numbers believed to be linked with terrorism alongside information on investigations never made public.
The TV programme cited Wil van Gemert, the deputy director of Europol, as acknowledging the validity of the leak. "This affects confidentiality and that is why we immediately set up an investigation to see how this could have happened," he is quoted as saying.
The police chief admitted that some identities included in the exposed files may still be under "long-term" active investigation. "The fact that they were ten years ago, part of an investigation, can still mean that they are part of an investigation," Van Gemert added.
Europol spokesperson Jan Op Gen Oorth told IBTimes UK that because no on-going investigations have been jeopardised the agency does not consider the incident to be a leak.
"The concerned former staff member, who is an experienced police officer from a national authority, uploaded Europol data to a private storage device while still working at Europol, in clear contravention to Europol policy," he explained.
Op Gen Oorth continued: "A security investigation regarding this case is ongoing, in coordination with the respective authorities at national level to which the staff member returned. Current information suggests that the security breach was not ill-intended.
"Although this case relates to Europol sensitive information dating from around 10 years ago, Europol immediately informed the concerned Member States. As of today, there is no indication that an investigation has been jeopardised, due to the compromise of this historical data."
The dossiers have not been published online to protect the sensitive nature of the data. It is unclear if any unauthorised access occurred while they were exposed to the open internet. Zembla said it would not release the files to ensure it did not "bring terrorism investigations [into] danger."
Sophie in 't Veld, a privacy campaigner and Dutch member of the European Parliament (MEP), tweeted on 30 November: "Huge data leak. Will call for @EU_Commission and @Europol director to come and inform @Europarl_EN."
Dr Bibi van Ginkel, terrorism expert and senior research fellow at the Clingendael Institute think tank in The Netherlands, tweeted: "Police organisations never want to reveal how much they know to prevent bad guys understanding how police operates/infiltrates. She added: "This leak might jeopardise trust between states."
Europol, headquartered in The Hague, assists the 28 EU member states in their fight against serious international crime and terrorism. It helps combat terrorism, money laundering, drug trafficking, fraud, counterfeiting, cybercrime and other major illicit operations.
Recently, the European Union's legislative body, the European Commission (EC) was hit with a "large-scale" distributed-denial-of-service (DDoS) cyberattack that knocked its website and internal computer systems offline for "several hours" on 24 November.
While earlier this year, in a separate terrorism-related leak, a database called World-Check was left exposed online. According to researchers, it contained 2.2million records from 2014 that included "risk profiles" on individuals with alleged links to organised crime, terror groups and corruption.
Full statement from Europol:
"Europol operates state-of-the-art databases and secure communication capabilities for processing and analysing operational and classified information. Europol adheres to the highest standards of data security, including continuous security briefings provided to staff members: State-of-the-art security is the basis for maintaining trust among all the parties that share information and intelligence with and through Europol.
"As for any law enforcement agency processing sensitive information, the design of a robust system cannot completely eliminate human error. Europol has a robust framework in place regarding security clearance measures and sanctions for breaches of security rules.
"A recent case included in a Dutch television programme concerned the breach of an ex-Europol staff member with Europol's security regime. The concerned former staff member, who is an experienced police officer from a national authority, uploaded Europol data to a private storage device while still working at Europol, in clear contravention to Europol policy.
"A security investigation regarding this case is on-going, in coordination with the respective authorities at national level to which the staff member returned. Current information suggests that the security breach was not ill-intended.
"Although this case relates to Europol sensitive information dating from around 10 years ago, Europol immediately informed the concerned Member States. As of today, there is no indication that an investigation has been jeopardised, due to the compromise of this historical data. Europol will continue to assess the impact of the data in question, together with concerned Member States.
"Human error is the weakest link when it comes to the intersection of staff, data, and technology. Although this risk can never fully be ruled out, Europol's systems and the security training offered to Europol staff are constantly reviewed. Europol is serious about maintaining the trust from EU Member States and partners."