Mobile device vulnerability
DG DIGIT sent a message last Friday evening to (some) colleagues about the “cybersecurity incident of 30 january 2026 ( link ) stating that this incident “may have allowed access to the names and mobile phone numbers of staff”. The incident was reportedly contained quickly, and no mobile device compromise has so far been detected.
The incident itself is an extremely serious incident to be treated just with a light communication of this type. Being informed about the reaction of DG DIGIT and all other information shared is useful, but for R&D the real questions are other, notably the following:
Key points requiring clarification:
- · Does “mobile phone numbers of staff” refer only to official business mobile phone numbers, or were also/only private phone numbers — increasingly used for institutional apps and authentication — affected?
- · If private phone numbers were exposed, is it possible that attackers may now have access to the highly sensitive combination of the following three: EU civil servant + personal phone number + institutional apps.
- · Many colleagues use personal phones for authentication, Commission apps, myPMO, messaging, and external contacts and therefore a leaked private number is not a minor issue; it significantly increases the risk of targeted phishing, fake IT-support messages, interception of verification codes, and unwanted contact on private apps.
- · Colleagues also use private email addresses for account recovery. Clear confirmation that these were not exposed would be reassuring.
Besides, this communication was not sent to all staff. Does this mean that those who received it were those whose numbers were exposed? The opposite? Just random selection of recipients? A clear and consistent message is necessary to help prevent confusion and rumours.
When the institution relies on personal devices for professional tasks, colleagues are entitled to full transparency when incidents occur. While no IT system is ever fully secure, R&D expects DIGIT to explain how this incident occurred, who is impacted, what shall impacted colleagues do and what measures will be taken to prevent future exposure of colleagues’ personal data?
The “ironies of fate” for our administration
The biggest irony of this incident is that it comes during a moment that R&D and other trade unions are negotiating with the administration (DG HR and Secretary General) a proposed Commission Decision on “means of urgent internal communication” within which it is foreseen that “Private mobile phone numbers should be collected and stored using a dedicated IT tool for security, business continuity and work-related reasons. Private mobile phone numbers stored in the dedicated IT tool should only be accessible to specific staff members, who need such access to perform their duties as line managers, for business continuity or for security or safety emergencies, on a ‘need to know’ basis.”
The security of our private personal data is non negotiable and the recent incident shows that the Commission hasn’t managed to secure them. Securing them is a necessary condition without which the staff representation will not continue to participate in any negotiation that foresees storage of our personal mobile phone numbers or other personal sensitive information stored in Commission’s tools.
The second irony of fate is that this incident coincides with the period that ENISA, the regulatory agency for Cyber Security is holding the rotated chairing of EUAN (European Agencies Network). Not bad at all for our Cyber Security experts, who, according to the news, among other things have also “hit the headlines” for publishing their report on Cyber Security Threats using artificial intelligence, and without properly reporting it ( EU-Sicherheitsbehörde blamiert sich mit KI-Einsatz)
Cristiano SEBASTIANI,
President