Incident report regardin cyber-attack on Christine Lagarde
Dear European Central Bank,
Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting the incident report or reports regarding the recent cyber-attack targeting ECB President Christine Lagarde, as reported by Bloomberg news agency and other
media outlets on July 12, 2022. I would also like to request any follow-ups within the ECB and with other institutions on said attack. This is meant to include letters, e-mails, text messages and other documents relating to said attack.
Yours faithfully,
Alexander Fanta
Schönhauser Allee 6-7
10119 Berlin
Germany
Dear Mr Fanta,
Thank you for your request dated 31 August 2022 for access to European
Central Bank (ECB) documents.
In accordance with Article 7(1) of [1]Decision ECB/2004/3 of the European
Central Bank, you will receive a reply within 20 working days.
Yours sincerely,
Compliance and Governance Office
DG Secretariat
European Central Bank
Sonnemannstrasse 20
60314 Frankfurt am Main
[2][email address]
Privacy notice: By submitting a request for access to documents, the ECB
collects information about you for the sole purpose of processing your
request in accordance with [3]Decision ECB/2004/3. All personal data are
processed in accordance with EU Data Protection Law ([4]Regulation (EU)
2018/1725 of the European Parliament and of the Council). The ECB is the
controller for the processing of the personal data. The recipients of the
data will be the ECB’s Compliance and Governance Office and, only when
necessary, other institutions within the European System of Central Banks,
the Single Supervisory Mechanism, or EU institutions.
You have the right to restrict processing and to access, rectify and under
certain conditions to request deletion of your stored personal data. You
can exercise your rights by contacting the ECB's Compliance and Governance
Office ([5][email address]) or the ECB’s Data Protection
Officer ([6][email address]). Furthermore, you have the right to address
the European Data Protection Supervisor ([7]www.edps.europa.eu) any time
regarding this processing of your personal data.
Dear Mr Fanta,
We refer to your request dated 31 August 2022, for access to European
Central Bank (ECB) documents.
We regret to inform you that, due to the increased workload created by a
high number of requests, the ECB has not yet been able to conclude its
internal assessment process as well as a detailed analysis of all legal
aspects related to the possible disclosure of the requested documents.
In accordance with article 7(3) of [1]Decision ECB/2004/3 of the European
Central Bank, the ECB has decided to extend the time limit for responding
to your application by 20 working days.
We apologise for the inconvenience this delay may cause.
Yours sincerely,
Compliance and Governance Office
DG Secretariat
European Central Bank
Sonnemannstrasse 20
60314 Frankfurt am Main
[2][email address]
_____________________________________________
From: Access to documents <[3][email address]>
Sent: Thursday, September 1, 2022 15:02
To: Alexander Fanta <[4][FOI #11788 email]>
Cc: Access to documents <[5][email address]>
Subject: AoR: [EXT] access to documents request - Incident report regardin
cyber-attack on Christine Lagarde
Dear Mr Fanta,
Thank you for your request dated 31 August 2022 for access to European
Central Bank (ECB) documents.
In accordance with Article 7(1) of [6]Decision ECB/2004/3 of the European
Central Bank, you will receive a reply within 20 working days.
Yours sincerely,
Compliance and Governance Office
DG Secretariat
European Central Bank
Sonnemannstrasse 20
60314 Frankfurt am Main
[7][email address]
Privacy notice: By submitting a request for access to documents, the ECB
collects information about you for the sole purpose of processing your
request in accordance with [8]Decision ECB/2004/3. All personal data are
processed in accordance with EU Data Protection Law ([9]Regulation (EU)
2018/1725 of the European Parliament and of the Council). The ECB is the
controller for the processing of the personal data. The recipients of the
data will be the ECB’s Compliance and Governance Office and, only when
necessary, other institutions within the European System of Central Banks,
the Single Supervisory Mechanism, or EU institutions.
You have the right to restrict processing and to access, rectify and under
certain conditions to request deletion of your stored personal data. You
can exercise your rights by contacting the ECB's Compliance and Governance
Office ([10][email address]) or the ECB’s Data Protection
Officer ([11][email address]). Furthermore, you have the right to
address the European Data Protection Supervisor ([12]www.edps.europa.eu)
any time regarding this processing of your personal data.
Dear Mr Fanta,
Please find attached the reply of the European Central Bank (ECB) to your
request dated 31 August 2022 for access to ECB documents.
Yours sincerely,
Compliance and Governance Office
DG Secretariat
European Central Bank
Sonnemannstrasse 20
60314 Frankfurt am Main
[1][email address]
_____________________________________________
From: Access to documents <[2][email address]>
Sent: Wednesday, September 28, 2022 15:37
To: Alexander Fanta <[3][FOI #11788 email]>
Cc: Access to documents <[4][email address]>
Subject: Extension of deadline: [EXT] access to documents request -
Incident report regardin cyber-attack on Christine Lagarde
Dear Mr Fanta,
We refer to your request dated 31 August 2022, for access to European
Central Bank (ECB) documents.
We regret to inform you that, due to the increased workload created by a
high number of requests, the ECB has not yet been able to conclude its
internal assessment process as well as a detailed analysis of all legal
aspects related to the possible disclosure of the requested documents.
In accordance with article 7(3) of [5]Decision ECB/2004/3 of the European
Central Bank, the ECB has decided to extend the time limit for responding
to your application by 20 working days.
We apologise for the inconvenience this delay may cause.
Yours sincerely,
Compliance and Governance Office
DG Secretariat
European Central Bank
Sonnemannstrasse 20
60314 Frankfurt am Main
[6][email address]
_____________________________________________
From: Access to documents <[7][email address]>
Sent: Thursday, September 1, 2022 15:02
To: Alexander Fanta <[8][FOI #11788 email]>
Cc: Access to documents <[9][email address]>
Subject: AoR: [EXT] access to documents request - Incident report regardin
cyber-attack on Christine Lagarde
Dear Mr Fanta,
Thank you for your request dated 31 August 2022 for access to European
Central Bank (ECB) documents.
In accordance with Article 7(1) of [10]Decision ECB/2004/3 of the European
Central Bank, you will receive a reply within 20 working days.
Yours sincerely,
Compliance and Governance Office
DG Secretariat
European Central Bank
Sonnemannstrasse 20
60314 Frankfurt am Main
[11][email address]
Privacy notice: By submitting a request for access to documents, the ECB
collects information about you for the sole purpose of processing your
request in accordance with [12]Decision ECB/2004/3. All personal data are
processed in accordance with EU Data Protection Law ([13]Regulation (EU)
2018/1725 of the European Parliament and of the Council). The ECB is the
controller for the processing of the personal data. The recipients of the
data will be the ECB’s Compliance and Governance Office and, only when
necessary, other institutions within the European System of Central Banks,
the Single Supervisory Mechanism, or EU institutions.
You have the right to restrict processing and to access, rectify and under
certain conditions to request deletion of your stored personal data. You
can exercise your rights by contacting the ECB's Compliance and Governance
Office ([14][email address]) or the ECB’s Data Protection
Officer ([15][email address]). Furthermore, you have the right to
address the European Data Protection Supervisor ([16]www.edps.europa.eu)
any time regarding this processing of your personal data.
Dear European Central Bank,
Please pass this on to the person who reviews confirmatory applications.
I am filing the following confirmatory application with regards to my access to documents request 'Incident report regarding cyber-attack on Christine Lagarde', reference number: LS/PS/2022/51.
I understand that the need for public security especially regarding high-ranking figures is paramount, however I kindly want to ask the ECB to consider this appeal and grant widest-possible access in line with Regulation 1049/2001 and Article 42 of the Fundamental Rights Charter. While I agree giving full access to information on cybersecurity safeguards of the ECB could perhaps risk giving an advantage to possible attackers, I would like to ask whether this really applies to the documents in their entirety. Furthermore, I ask to consider whether the documents in question could not at least be released partially with appropriate redactions in those areas where concrete details of safeguards are discussed.
Regarding your refusal to provide access under Article 4(2) for the protection of inspections and audits, I would like to ask the ECB to examine it can grant at least limit access to the documents and parts of documents protected by this exception. I note that the European Court of Justice in Franchet and Byk (T-391/03 and T-70/04) stated that this exception only applies if disclosure of the documents in question endangers the completion of the investigation. In this regard, I would ask the ECB to re-examine those sections of the documents where access was denied under Article 4(2) to see whether it could be granted at least in redacted form.
Furthermore, with regard to the documents and parts of documents withheld under Article 4(2), I argue there is an overriding public interest in disclosure. The European Union has seen a sharp rise in cyber attacks in recent years. According to a CNN report, the EU cyber security agency ENISA stated there were 304 significant, malicious attacks against “critical sectors” in 2020, more than double the 146 recorded the year before.[1] The recent spyware attack against Commissioner Reynders and other Commission officials with the infamous Pegasus spyware may count as example that the EU institutions, too, are under significant threat from cyber attacks. At the same time, a recent report by the European Court of Auditors notes that the level of preparedness of the EU institutions is “overall not commensurate with the threat” posed by outside actors.[2] One of the key insights of the report is that there is “insufficient cooperation” by institutions, “which do not always share timely information on vulnerabilities and on significant cybersecurity incidents that have impacted them or may impact others”. As the present incident involving President Lagarde highlights, such incidents affect not only the EU institutions themselves, but also member state and other public institutions. I therefore argue that, while there is an understandable need to protect the ongoing investigation into the incident, there is indeed a potential risk to the public interest if the ECB does not share more information about the incident as this could shield attackers who use similar tactics on other public institutions in Europe. On the contrary, making some more general information about the root causes and nature of the attack as well as information about the attacker available would assist other institutions, as well as the general public, in building resilience against similar attacks. I therefore ask the ECB to give widest possible access to the documents in question. I note that I make my request as journalist, a role the European Court of Human Rights has acknowledged as “social watchdog”, in the public interest.
Yours faithfully,
Alexander Fanta
[1] https://edition.cnn.com/2021/06/10/tech/...
[2] https://www.eca.europa.eu/Lists/ECADocum...
Dear Mr Fanta,
The European Central Bank (ECB) confirms receipt, on 27 October 2022, of
your confirmatory application for access to documents as specified in your
email below.
Your request has been registered and a reply will be provided to you in
line with Article 8 of [1]Decision ECB/2004/3 of the European Central
Bank, within 20 working days.
Yours sincerely,
Compliance and Governance Office
DG Secretariat
European Central Bank
Sonnemannstrasse 20
60314 Frankfurt am Main
[2][email address]
Dear Mr Fanta,
We refer to your confirmatory application of 27 October 2022.
We regret to inform you that, due to the increased workload created by a
high number of simultaneous requests, the ECB has not yet been able to
conclude its internal assessment process as well as a detailed analysis of
all legal aspects related to the possible disclosure of the requested
documents.
In accordance with Article 8(2) of [1]Decision ECB/2004/3 of the European
Central Bank, the ECB has decided to extend the time limit for responding
to your application by 20 working days.
We apologise for the inconvenience this delay may cause.
Yours sincerely,
Compliance and Governance Office
DG Secretariat
European Central Bank
Sonnemannstrasse 20
60314 Frankfurt am Main
[2][email address]
_____________________________________________
From: Access to documents <[3][email address]>
Sent: Friday, October 28, 2022 12:08
To: Alexander Fanta <[4][FOI #11788 email]>
Cc: Access to documents <[5][email address]>
Subject: AoR: [EXT] Internal review of access to documents request -
Incident report regarding cyber-attack on Christine Lagarde
Dear Mr Fanta,
The European Central Bank (ECB) confirms receipt, on 27 October 2022, of
your confirmatory application for access to documents as specified in your
email below.
Your request has been registered and a reply will be provided to you in
line with Article 8 of [6]Decision ECB/2004/3 of the European Central
Bank, within 20 working days.
Yours sincerely,
Compliance and Governance Office
DG Secretariat
European Central Bank
Sonnemannstrasse 20
60314 Frankfurt am Main
[7][email address]
Dear Mr Fanta,
Please find attached the reply of the European Central Bank (ECB) to your
confirmatory application dated 27 October 2022 for access to ECB
documents.
Yours sincerely,
Compliance and Governance Office
DG Secretariat
European Central Bank
Sonnemannstrasse 20
60314 Frankfurt am Main
[1][email address]
_____________________________________________
From: Access to documents <[email address]>
Sent: 24 November 2022 17:04
To: Alexander Fanta <[FOI #11788 email]>
Cc: Access to documents <[email address]>
Subject: Extension of deadline: Internal review of access to documents
request - Incident report regarding cyber-attack on Christine Lagarde
Dear Mr Fanta,
We refer to your confirmatory application of 27 October 2022.
We regret to inform you that, due to the increased workload created by a
high number of simultaneous requests, the ECB has not yet been able to
conclude its internal assessment process as well as a detailed analysis of
all legal aspects related to the possible disclosure of the requested
documents.
In accordance with Article 8(2) of [2]Decision ECB/2004/3 of the European
Central Bank, the ECB has decided to extend the time limit for responding
to your application by 20 working days.
We apologise for the inconvenience this delay may cause.
Yours sincerely,
Compliance and Governance Office
DG Secretariat
European Central Bank
Sonnemannstrasse 20
60314 Frankfurt am Main
[3][email address]
_____________________________________________
From: Access to documents <[4][email address]>
Sent: Friday, October 28, 2022 12:08
To: Alexander Fanta <[5][FOI #11788 email]>
Cc: Access to documents <[6][email address]>
Subject: AoR: [EXT] Internal review of access to documents request -
Incident report regarding cyber-attack on Christine Lagarde
Dear Mr Fanta,
The European Central Bank (ECB) confirms receipt, on 27 October 2022, of
your confirmatory application for access to documents as specified in your
email below.
Your request has been registered and a reply will be provided to you in
line with Article 8 of [7]Decision ECB/2004/3 of the European Central
Bank, within 20 working days.
Yours sincerely,
Compliance and Governance Office
DG Secretariat
European Central Bank
Sonnemannstrasse 20
60314 Frankfurt am Main
[8][email address]