The website of Luxembourg's parliament, pictured, was hacked and non-public administrative data was accessed Maison Moderne archives

The website of Luxembourg's parliament, pictured, was hacked and non-public administrative data was accessed Maison Moderne archives

Luxembourg public radio station 100,7 broke the news of the hacking and data leak last week, saying that sensitive data about MPs had been accessed by simply modifying the website URL.

The Chamber of Deputies responded with a statement on Wednesday saying the flaw in the system had been fixed, and any data accessed was administrative information which was not classified but not also not public.

In a statement published on Tuesday, the parliament said:

“An investigation by an independent expert is underway to determine objectively and safely as to how the programming error occurred and why the security flaw was not found.”

It denies, however, that internal documents were not protected:

“No-one from outside would be able to access this data through a normal search on the Chamber of Deputies website. The person who accessed the site had attempted to do so over several days.”

It said the person responsible had acted deliberately to access non-public data without authorisation. But, it said the question remained why this person wished to access these documents. “The chamber reserves the right to take other legal steps, including for misuse of non-public documents,” the statement ended.

According to new technology specialist lawyer Thierry Reisch, speaking to Paperjam, if it can be proven the person responsible fraudulently accessed the data, they could face a prison sentence of two months to two years and a fine of €500 to €25,000. The question for the prosecution will be to find out if sufficient protections were in place since it is claimed that the data was accessed through simple manipulation of the URL.