Investigation into Agorà app data leak
Serious questions over data protection have emerged following reports of an Agorà app data leak, with an independent security review allegedly revealing exposed personal data belonging to nearly 40,000 users. The application is used by MEP Fidias Panayiotou and the Direct Democracy Cyprus party.
According to CIReN, the review found that the app lacked adequate security measures, potentially exposing sensitive user information, including dates of birth, gender, phone numbers and email addresses of 39,937 users at the time of publication.
Sensitive data allegedly exposed
The report states that users who participated in internal political processes were even more exposed, with additional personal details such as full names, city of residence and profile photos potentially accessible.
The vulnerability was reportedly identified by an independent cybersecurity researcher who alerted both CIReN and the Cyprus Commissioner for Personal Data Protection. CIReN says it independently verified the existence and scope of the issue linked to the Agorà app data leak.
API vulnerability and security concerns
The issue is believed to stem from the app’s API system, where unsecured endpoints may have allowed unauthorised access to user data. This could theoretically enable anyone to retrieve personal information stored on the platform.
The Agorà app is used as a voting platform for policy positions and party-related decisions within Direct Democracy Cyprus, which was founded in October 2025, as well as for candidate selection ahead of upcoming parliamentary elections.
GDPR implications
Under Article 32 of the GDPR, data controllers must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption and pseudonymisation.
The report suggests that the Agorà app data leak may constitute a breach of these obligations, particularly regarding data security and integrity requirements under Article 5(1)(f).
Lawyer Maria Berrada, cited by CIReN, described the situation as a “serious GDPR violation”, highlighting risks linked to weak authentication safeguards and potential misuse of exposed data.
Cybersecurity risks highlighted
Cybersecurity expert Koen Van Impe warned that exposed emails and phone numbers could be used to bypass two-factor authentication systems, increasing the risk of identity theft or financial fraud, although such attacks would require additional exploitation.
The case also involves earlier intervention from the Data Protection Commissioner, who had already requested a data protection impact assessment for the Agorà app in October 2025. She later called for the suspension of the platform due to non-compliance concerns.
According to the Commissioner, no response was received after contacting Fidias Panayiotou and his legal team following notification of the alleged Agorà app data leak.
Developer response and ongoing questions
The application was developed by Ekkotek Limited, a Cyprus-based software company. Its founder previously acknowledged potential weaknesses in identity verification systems, noting risks of users bypassing controls.
It remains unclear how long the data may have been exposed or whether any unauthorised access occurred during that period.
The investigation into the Agorà app data leak is ongoing.
Also read: President: “EU needs clear defence plan for member states under attack”
For more videos and updates, check out our YouTube channel
