The Agorà application used by the Cypriot member of the European Parliament, Fidias Panayiotou, and his Direct Democracy Cyprus party does not provide the required personal data protection measures, and publicly exposes almost 40,000 users’ personal information, according to an independent audit confirmed by CIReN.
Despite being informed of the security vulnerability last Thursday, Panayiotou, as the responsible ‘data controller’ for the application, failed to provide notice to the Data Protection Commissioner and inform the users within the 72-hour period mandated under the General Data Protection Regulation (GDPR) of the European Union.
The exposed data includes the date of birth, gender, phone numbers, and email addresses of 39,937 users as of the time of publication. For individuals who were or had applied to be candidates in the party’s internal elections even more personal information is exposed, including their full name, town of residence, and profile pictures.
The researcher who discovered the security gap, and asked to remain anonymous, also shared the findings of their audit with the Cyprus Data Protection Commissioner, Maria Christofidou, last Thursday. CIReN has independently verified the existence of the security vulnerability and its scale.
The vulnerability arises from the fact that Agorà’s Application Programming Interface (API), the system that connects the application to its servers, contains unprotected ‘endpoints,’ which are specific web addresses used to request data, allowing anyone to freely access the personal information of the users.
The Agorà app is a platform, which allows users to vote on political policies of Panayiotou as an MEP, as well as those of the Direct Democracy Cyprus party he established in October 2025. The application was most notably used to select the candidates for the party in the upcoming parliamentary elections.
Article 32 of the GDPR stipulates that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data.”
The poor security measures that led to the exposure of users’ personal data appears to constitute a breach of Panayiotou’s obligations as the ‘data controller,’ as listed in the application.
“This is, in my view, a serious GDPR infringement, in particular of the principle of integrity and confidentiality (under Article 5(1)(f)) and of the security obligations (under Article 32), given the reported exposure of personal data through unsecured API endpoints, and the contradiction with the app’s own privacy notice,” Maria Berrada, partner attorney at Influxio law practice said in an analysis she offered to CIReN.
It is unclear whether the data has been accessible since the app’s launch and how many people have had access to it.
“Such a breach is serious,” cyber security expert Koen Van Impe, told CIReN. “The biggest threat here is the possibility for malicious actors to bypass the Two-Factor Authentication process using email addresses and phone numbers.” Although it is unlikely, the relevant personal data could be used to carry out identity theft and financial fraud attempts, he added.
Data Protection Commissioner concerns
In October 2025, Cyprus Data Protection Commissioner Christofidou called for a standard impact assessment into the Agorà application. Applications that process political information are legally required under GDPR to go through impact assessment prior to carrying out data collection.
Due to the non-compliance to her instructions, Christofidou followed up with a formal letter to Panayiotou’s legal team on 20 February requesting the suspension of the application.
Speaking on his social media channels, Panayiotou rejected the suspension of the application, attributing the request to political pressure from other parties, and claiming that “there is no way we will remove the application,” adding that if there are any issues “we will fix them the same day.”
Commenting on the data breach, Commissioner Christofidou told CIReN that her office “has been informed [by the researcher] since Thursday (April 16), and had contacted Panayiotou and his lawyer about the issue, who have yet to respond.”
Direct Democracy Cyprus
The Direct Democracy Cyprus party announced by Panayiotou via his social media platforms in October 2025 has, as its key feature, the increased importance placed on grassroots supporters of the party, who vote to select the party’s candidates for elections, as well as key policy points and decisions via the Agorà mobile application.
Agorà was added to Google Play and Apple App stores in early 2025, and is touted in its listings as a “groundbreaking platform inspired by the principles of openness, transparency, and community participation,” as well as “the future of direct democracy.”
In his announcement of the party and interviews about it, Fidias has often praised the novel nature of this approach, and how it had “never been done before,” a claim that CIReN has previously examined and found to be false.
The Agorà application was developed by Ekkotek Limited, a Cyprus based App and Web development company founded by Yiannis Laouris, an entrepreneur, and candidate for the Direct Democracy Cyprus party in the May parliamentary elections.
Speaking on the podcast ‘Uncensored’ with journalist Chrysanthos Tsouroullis last month, Laouris mentioned some early issues relating to personal data, saying that “from the moment that you don’t keep personal data and it’s verified elsewhere, someone can trick you and re-register, this is a hole that we’re trying to patch, as we don’t want to store personal data, but we need it to verify users.”
Panayiotou and Laouris did not reply to requests for comment regarding the data breach in time for publication.