EU bars staff from webmail after suffering 'serious and targeted' cyber attack

Commission officials were among those whose systems were attacked

Two EU bodies have suffered a 'serious and targeted' cyber attack this week, prompting the organisation to take unprecedented measures in response.

Attacks on the Commission and the European External Action Service (EEAS) were discovered on Tuesday. A spokesperson for vice-president Neelie Kroes of the EU's Digital Agenda programme said that the EU is taking urgent measures to protect both institutions.

"An inquiry has been launched, and is ongoing to select effective counter-measures to avoid similar infections in the future. Additional technical and organisational measures will also be taken in order to better protect access from the outside," she said.

She added that the attacks are being treated as serious not because of scale, but because they were targeted.

"Wrongdoers targeted the data of some Commission officials."

A message was sent to all staff in the Commission and the EEAS detailing the measures to be taken, including stopping external webmail access, and access to the Commission's internal intranet (My IntraComm) from outside the Commission.

All users have also been obliged to change their passwords, for fear of compromise.

"We have not taken measures on this scale before. In the past, it could happen that some targeted users were asked to change their password."

The Commission recently urged all member states to establish national or governmental Computer Emergency Response Teams (CERTs) in its communication on Critical Information Infrastructure Protection.

A CERT for all the EU institutions is also under preparation as announced in the Digital Agenda last May. When it starts operating in June this year, it will provide an enhanced capacity in detecting and responding to cyber attacks such as this.

At the end of March, the Commission will present a communication on Critical Information Infrastructure Protection, "Achievements and next steps: towards global cyber security", which will be discussed by EU ministers in mid April.