Information about personal data breach

05 September 2022

The International Centre for Migration Policy Development (ICMPD) has recently become the target of an external cyber-attack. The attackers managed to gain limited access to individual servers and to get hold of some of our data.

Immediately after discovering the attack ICMPD has taken all measures to limit the impact of this attack. In parallel, ICMPD reported the issue to the Austrian Data Protection Authorities in accordance with the regulations. The criminal investigation of this case is currently ongoing and ICMPD is cooperating with the authorities.

Information about personal data breach

In accordance with the applicable data protection regulations (Art. 34 General Data Protection Regulation, GDPR), ICMPD is obligated to inform all individuals whose data has been affected by the incident.

In the past years and months, you participated in activities conducted by ICMPD such as studies, workshops, study visits, conferences etc. and provided personal information in this context. Due to the still ongoing forensic analysis, we cannot yet provide a final assessment of all data affected by the incident. From what we are able to assess so far the stolen data include:

 Personal information as for instance full names, addresses, phone numbers, citizenship, emergency contacts etc.

  • Personal information as for instance full names, addresses, phone numbers, citizenship, emergency contacts etc. 
  • Copies of proof of identity (e.g. passport or ID cards) 
  • (anonymised) Interview/Questionnaire 
  • Video/Voice recordings 
  • if applicable, refugee status 
  • if applicable, employment/medical information 

It must be assumed that the attackers will try to publish or sell at least parts of the stolen data.

Possible offences related to the misuse of personal data might include:

  • Acts of fraud (e.g. online orders, online sales, etc.) or deception (e.g. creation of websites with the obtained personal information) using the stolen data 
  • Registration of accounts for the purpose of carrying out criminal acts online using the stolen data 
  • Use of stolen data to spread fake news or disinformation campaigns (e.g. creation of false social media accounts etc.) 
  • Direct blackmail or threats of the concerned individuals

ICMPD is currently not aware of any data leaks or misuse of stolen data; the situation is of course constantly monitored in coordination with the competent authorities. Should you have any further questions, please get in touch with

We apologise for any inconvenience resulting from this cyber-attack, and thank you for your understanding.

Yours sincerely,

ICMPD Cyber Incident Response Team