A police officer working for Europol exposed sensitive data about security investigations to the internet.
By Leo Kelion, Technology desk editor
The European Union’s law enforcement agency acknowledged the error ahead of a Dutch documentary’s broadcast.
The TV programme Zembla said it had found more than 700 pages of confidential dossiers, including details of terrorism probes, on a hard drive linked to the net.
It said the networked drive was not password protected.
Europol said it had launched an investigation into the matter.
“Although this case relates to Europol sensitive information dating from around 10 years ago, Europol immediately informed the concerned member states,” a spokesman for the law agency said.
“As of today, there is no indication that an investigation has been jeopardised, due to the compromise of this historical data.
“Europol will continue to assess the impact of the data in question, together with concerned member states.”
A reporter for Zembla told the BBC that it found the documents via a service that specialises in finding internet-connected kit.
“We found the disk online through a search engine called Shodan,” said Vincent Verweij.
“We were able to remotely access the disk through the internet. It didn’t require a password.”
Zembla reported that documents contained the names and telephone numbers of hundreds of people associated with terrorism.
It added that they mostly dated from 2006 to 2008 and included investigations into the Madrid train bombings, the Hofstad Network – a Netherlands-based Islamist terror network – and foiled attacks on several flights.
In addition, it said, other investigations that had never been made public were revealed.
Europol confirmed that the officer had copied the data to a personal drive in “clear contravention” of its rules, but had since left its staff.
The BBC understands that after working for the agency for more than a decade, she now works for the Dutch police.
The hard drive in question was one of Lenovo’s Iomega models. The Chinese company has said that it is the responsibility of owners to make them secure. Later models required that a password needed to be set before their use.
One counter-terrorism specialist said the apparent mistake could have serious consequences.
“Police organisations never want to reveal how much they know to prevent bad guys understanding how the police operate and infiltrate [them],” Dr Bibi van Ginkel, a senior research fellow at the Netherlands Institute of International Relations, said.
“In times that better international co-operation and data exchange is needed, this leak might jeopardise trust between states.”
The revelation coincides with an announcement that Europol’s current director, Rob Wainwright, will take part in a seminar in London in January dedicated to data protection and online privacy.