Exposure of EU Officials' Phone Location Data via Data Brokers
A coalition of European journalists revealed that commercially available location data, sold by data brokers, included detailed movement histories of top European Union officials and employees. The reporters obtained a free sample dataset containing 278 million location points from millions of devices around Belgium, with granular data on individuals working at the European Commission and European Parliament. The investigation demonstrated that it was possible to identify private addresses and daily routines of senior EU officials, raising significant concerns about the effectiveness of the EU's data protection laws in preventing such privacy breaches.
In response to the findings, the European Commission expressed concern over the trade of geolocation data involving both citizens and officials. The Commission issued new guidance to staff on disabling ad tracking and informed member states' Computer Security Incident Response Teams (CSIRTs) about the risks. Despite the General Data Protection Regulation (GDPR) being considered one of the world's strictest privacy laws, the incident highlights regulatory gaps regarding data brokers and the ongoing vulnerability of sensitive personal data to commercial exploitation and potential surveillance.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Citizen Lab exposes Webloc ad-data surveillance used by state customers
Citizen Lab reported that Cobwebs Technologies' Webloc platform used mobile advertising data to enable historical and near real-time tracking, geofencing, travel analysis, and relationship mapping. The report said law enforcement, military, and intelligence users in the United States, Hungary, and El Salvador used the system, potentially affecting up to 500 million devices globally.
Report highlights GDPR enforcement gaps enabling commercial surveillance
Coverage of the findings emphasized that, despite the EU's strong data protection framework such as GDPR, weak enforcement allowed the data-broker industry to continue offering highly sensitive location data with limited oversight. The disclosures raised privacy and national-security concerns about the trackability of senior EU officials.
Journalists find brokers selling EU officials' phone location histories
A coalition of journalists uncovered that data brokers were selling detailed mobile-phone location histories tied to European Union officials, including personnel in sensitive roles at the European Commission and European Parliament. The reporting said the commercially available datasets contained millions of location points and could be used to track officials' movements.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Citizen Lab: Webloc tracked 500M devices for global law enforcement
securityaffairs.com
Open sourcePhone location data of top EU officials for sale, report finds
databreaches.net
Open sourceEuropean Union officials vulnerable to location tracking despite strong data protection laws
scworld.com
Open sourceData brokers selling location info that can be used to track EU officials, report finds
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
EU Digital Omnibus Proposals Face Privacy Watchdog Backlash Over GDPR Changes
European privacy watchdogs and digital rights advocates are pushing back against the European Commission’s proposed **“Digital Omnibus”** package, arguing that amendments billed as regulatory “streamlining” could **weaken EU privacy protections** and erode fundamental rights. Reported concerns focus on proposed changes to the **GDPR**, including narrowing the definition of **personal data** so that not all data that could potentially be linked to an identifiable person would qualify, alongside other adjustments intended to reduce compliance friction (e.g., reducing cookie banner requirements in some cases and simplifying multi-law breach notification processes). Separately, UK officials told Parliament that **legacy IT** is impeding implementation of technical controls meant to prevent repeats of the Ministry of Defence’s highly sensitive Afghan data exposure, where roughly **19,000** resettlement applicants’ details were compromised via a **CC instead of BCC** email error. The government’s Information Security Review recommended shifting cross-government information sharing away from email/attachments and toward source-based sharing, but ministers and the chief data officer cited departmental system fragmentation as a barrier to rolling out attachment-blocking and safer data-transfer mechanisms at scale.
Mar 21, 2026
European Commission Probes Breach of Amazon Cloud Environment
The European Commission is investigating a breach after a threat actor gained unauthorized access to its Amazon cloud infrastructure and at least one account used to manage that environment. According to reports, the intrusion was detected quickly by the Commission’s cybersecurity incident response team, but the actor claims to have exfiltrated more than **350 GB** of data, including multiple databases. Screenshots shared with reporters allegedly show access to European Commission employee information and an email server used by staff. The actor reportedly said they do not intend to extort the Commission and instead plan to leak the stolen data later. The incident adds to a recent string of security problems at European institutions: the Commission had already disclosed a separate breach tied to a compromised mobile device management platform, apparently linked to exploitation of **Ivanti Endpoint Manager Mobile** code-injection vulnerabilities that affected other organizations in the region as well.
Apr 24, 2026
Commercial Location Data Exposed U.S. Troops to Surveillance by Foreign Adversaries
The U.S. Department of Defense has confirmed that foreign adversaries used commercially available location data to target and surveil American military personnel in operational theaters, including the Middle East. A newly disclosed U.S. Central Command letter said it had received multiple threat reports involving hostile actors exploiting data collected from phones and computers through the advertising and data-broker ecosystem. Lawmakers led by Senator Ron Wyden and Representative Pat Harrigan said the disclosures amount to the first public confirmation that purchased commercial geolocation data was used against U.S. troops in active war zones, and warned that the ad-tech industry now poses a **national security threat**. The reports say Pentagon safeguards were insufficient: service members were allowed to use personal devices in operational areas, no policy required geolocation to be disabled in active war zones, and even government-issued devices did not fully block advertising-related tracking. Critics said the risk had been documented for years, citing contractor briefings dating back to 2016, demonstrations tracing personnel from U.S. bases to a covert site in Syria, and later studies showing brokers could easily sell sensitive data on service members. The Pentagon said it is moving to a new mobile device management system to better disable location services, but lawmakers warned that broader use of bring-your-own-device policies and weak regulation of data brokers continue to leave troops exposed.
Jun 10, 2026