Hundreds of Hungarian opposition activists’ data leaked online

A major data breach occurred at the leading opposition TISZA Party when a volunteer database containing a wide range of information, including personal details, sexuality, and political backgrounds of over 500 individuals, was leaked online. While it is unclear who is behind the leak, volunteers we contacted confirmed the data as genuine and that they had signed contracts with the party.

The database in question was leaked to various news outlets, including Átlátszó. In Facebook post on the incident, Péter Magyar, leader of the TISZA Party claimed that the leaked database was a part of a Russian smear campaign.

“The leaked list is the result of a premeditated operation that gathered information on volunteers using Russian methods, specifically on those who had previously been active in one of our community groups,”

Magyar wrote on Facebook, implying that the database was not made by the party, but was compiled using publicly available information.

Apart from basic personal information and contact details, the list also contained information on people’s past experiences with online campaigning, possible fake profiles on Facebook, and political backgrounds. A ‘notes’ section also had personal assessments, such as: “Seems a bit strange, but is very sensitive, helpful, and dedicated. Has done multiple volunteer stints with civil organizations.” Another individual was described: “Committed, self-employed, family supports Fidesz.” Another note read: “Previously assisted in Fidesz’s campaign, was an admin for the local mayor in 2019. Energetic, decisive, technically skilled. Member on XY island, suitable as county coordinator, the interview was very positive.” (“Island” is a term TISZA uses for local groups of activists and sympathisers.)

Volunteers signed contracts with TISZA

Most people we interviewed confirmed that they signed volunteer contracts with the party online, suggesting that the leaked data came from the TISZA Party’s records. Volunteers were also asked what they would tell voters on behalf of TISZA.

One volunteer said they received the contract immediately after an online interview but could not recall exactly who they spoke with since only first names were mentioned. The first names listed for the interviewers in the database matched what the volunteer remembered.

“I had to fill out a GDPR declaration, but I’m not sure who the data controller is since I don’t have the contract with me. I think the person who interviewed me was also a volunteer,”

another shared.

“I know the data leaked. I read about it in the news, and the TISZA Island coordinator also mentioned it. What a story,” one volunteer said laconically.

Some of the listed individuals were weary of speaking to a journalist, while others said they would only comment if the identity of the leaker was revealed. At one phone number we called, a group associated with Péter Jakab’s Nép Pártján Mozgalom answered.

“That’s serious,” one person remarked, adding:

“There’s information in there that I don’t think was in the volunteer contract. We filled out a lot of contracts, basically a contract per detail. I have a contract with the TISZA Party, and since I’m also a data handler for TISZA Island, I had to sign for that too. The interview was on a communication channel linked to Discord, probably with a volunteer. I didn’t know my data had leaked – I wasn’t notified. I can’t find the usual Discord group anymore. It was active yesterday, but today no one is in it, not even the person who ran it for TISZA. We’ve received no information about what happened.”

One lawyer told us:

“I signed the contract online, just had to click to accept, got a copy, and was told to print it out, just in case. I haven’t received any notification about the data leak.”

No notification about the data breach

One volunteer explained details about TISZA Island’s operation: “There’s no volunteer contract for TISZA Island; we had to sign a confidentiality agreement with the TISZA Party. The contract was for online community organizing.” Asked if they’d been contacted by the party about the leak, they replied: “I read about it in the Visszhang Discord group, where Péter Magyar posted about it on Facebook, but I haven’t received any email or other notification.”

Most of the people we spoke to said they had not received any official notification that their data might have been exposed to third parties.

After the publication of our article, the TISZA Party’s press office sent a response, wherein they repeated that “The illegally obtained and leaked data did not come from TISZA’s servers”, however they seemed to confirmed that the database does indeed contain the data of their volunteers.

“A hallmark of Russian disinformation tactics is to flood the public with illegally obtained false data to distract from real issues affecting people’s lives. That is exactly what happened in this case. Here, we are talking about the data of 500 volunteers. Meanwhile, the government remains silent about the leak of data belonging to 500,000 graduating high school students that occurred just yesterday” – they said, referencing a recent cyberattack against the national Education Bureau’s servers, where data of numerous graduating high school students was stolen. News about this incident came public on the same day the TISZA leak happened.

The email also stated that TISZA complies with legal requirements and signs volunteer agreements with every activist, and that they have notified those who were affected.

Source protection still applies

After the publication of our article, the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) has launched an investigation into the data breach. As Átlátszó was the first to report on the incident, the authority contacted us and requested that the full leaked database be sent to them.

The problem with this request is that the people confirmed to us the veracity of the leak are our journalistic sources, and

as a matter of source protection, we refused to pass their personal information to a third party.

The database was therefore sent to the authority without any data that could identify the data subjects – name, e-mail address, telephone number, digital identifiers. After the publication of our article, he majority of these data were irretrievably deleted from our servers anyways, as their further processing and retention was no longer necessary and would therefore not have been lawful.

In addition to the transfer of the anonymised database, we were only able to help the data protection authority by confirming what we had described in our article and by indicating that the data had reached our editorial office via the Magyarleaks whistleblowing portal.

Not the first such case

The fact that the data protection authority has launched a procedure in this case should hardly come as a surprise, given that it is a high-risk, serious data breach involving personal data relating to political opinions and hundreds of people. A plethora of cases (including professionally protected public databases) proves that in 2025, any data controller handling personal data in the online space is exposed to data leaks and theft: for example, the aforementioned incident involving the IT system for school-leaving exams.

The public authority procedure under the GDPR is therefore primarily aimed at examining the extent of the controller’s liability and, of course, at ensuring that the controller ensures adequate protection of the personal data processed for the future. The exact outcome of the procedure, and the level of any sanction, will depend on what the controller has done to prevent the breach and to address its adverse consequences for the data subjects.

Judging from previous cases involving the leak of political party supporter data,

the TISZA Party is more likely to get punished than the leaker who is unlikely to be identified.

In 2019, NAIH imposed a data protection fine of 27 600 Euros on the Democratic Coalition (DK) opposition party for an incident involving the data of more than 6,000 individuals. The breach was blamed on the exploitable vulnerability of the party’s website and the lack of proper encryption, but the data controller also failed to report the incident to the NAIH.

In 2022, the Hungarian Two-Tailed Dog Party (MKKP) received a fine of 7526 Euros for a leak involving five hundred supporters, which was similar to the Tisza case in terms of the number of data and the circumstances: there, contact data shared online as a Google Sheets spreadsheet was published, and although it was not revealed whether this was the result of an internal leak or an external attack, the incident was reported by the party.