📢 Data Breach Notification to Members

Dear EMA Members,

We are writing to inform you of a data security incident that affected the Erasmus Mundus Students & Alumni Association (EMA AISBL).

What happened?

During a review of EMA systems, we identified that on 30 June 2025 (prior to the leadership handover), complete data from one of the Association’s accounts was downloaded to a private system without any disclosure to this date. Similar incidents have also been detected on 4^th, 5th, 6th, 7th, 13th, 14th, 23rd and 30th July from another account. Further investigation is ongoing to determine the full extent of the breach. 

What information was involved?

The files accessed included personal and sensitive information of our members and volunteers, such as:

• Personal contact details (emails, phone numbers, signatures, and addresses);

• Passports and ID documents of some EMA members;

• CVs and professional details submitted for volunteering and applications;

• Recorded interviews related to EMA activities and recruitment;

• Passwords and access credentials for all association systems;

What are the risks?

 This information could be misused for:

• Unsolicited contact or harassment using personal emails or phone numbers;

• Identity misuse or fraud based on personal data contained in CVs, pictures, and addresses;

• Reputational harm if sensitive personal or professional details are misused or disclosed without consent;

• Potential account compromise if passwords or credentials are reused elsewhere;

Because of the nature of the data involved, this incident may expose members to both financial and reputational damages.

What we are doing?

• In accordance with the European Union General Data Protection Regulation (2016/679) requirements, we are hereby disclosing to all EMA members, who may be potentially affected data subjects, about the breach that was identified.

• We are revoking access to all accounts that we do not have clarity on who is using. 

• We are conducting a full review of past access logs to ensure no further unauthorised activity occurred.

• We have notified the involved individuals requesting clarifications.

• We are working on the formal notification to the competent Data Protection Authority, as required by the EU GDPR regulation; and

• We are working with external experts to strengthen our data protection and governance policies going forward.

What you can do?

We recommend that you take the following steps as a precaution:

• Be alert to unexpected emails, calls, or messages that reference your CV or personal information.

• Do not click on suspicious links or share further personal details in response to unsolicited contact.

• Consider updating passwords if you reuse the same ones for any accesses related to EMA.

• If you suspect misuse of your information, please contact us immediately and, if needed, report it to your local Data Protection Authority.

Our commitment

We understand that the actions detailed above, specially the revocation of access to accounts, may impact your activities as volunteers. However, protecting your personal information is our top priority. We are working to promptly identify the extent of the breach and to reinstate the access to the accounts as soon as possible. We regret that this incident occurred, and we are committed to preventing it from happening again.

For questions or to exercise your GDPR rights, please contact us at data@em-a.eu.