Data breach reported in Agora application used by MEP Fidias Panayiotou

An investigation by CIReN has revealed a significant security vulnerability in the Agorà application, which is used by MEP Fidias Panayiotou and his party, 'Amessi Dimokratia Kyprou'. The breach exposed the personal data of approximately 39,937 users, including dates of birth, gender, phone numbers, and email addresses. For internal party candidates, additional information such as full names, cities of residence, and profile photos were also accessible due to unprotected API endpoints. An anonymous cybersecurity researcher notified both Panayiotou and the Cypriot Data Protection Commissioner, Maria Christofidou, about the issue on Thursday. While the Commissioner had previously requested a temporary suspension of the app in February due to compliance issues, Panayiotou initially rejected the request, citing political pressure. Later, his legal representation claimed that only certain features were suspended and that they were in dialogue with authorities. Reports indicate that Panayiotou failed to notify the authorities or users within the 72-hour window required by GDPR. CIReN has independently verified the existence and scale of the security gap.