European Password Manager’s Russian Links Raise Questions for Public-Sector Clients

by EUToday Correspondents

The issue is not simply corporate history. Password managers sit at the centre of institutional security, making software provenance and update chains a public-sector risk.

A Spain-based password-management company used by European public-sector and corporate clients has come under scrutiny after an investigation found shared origins and synchronised software updates with a Russian counterpart certified by Russian security bodies.

The OCCRP investigation published on 17 July examined Passwork and its Russian counterpart, reporting overlapping development history, technical similarities and update patterns. The European company says customer data remain on clients’ private servers and denies having a current relationship with the Russian business.

The case matters because password managers are high-trust software. They do not merely store ordinary data; they protect credentials that can open email systems, cloud accounts, finance tools, procurement portals, security dashboards and internal communications. Any uncertainty over development control, code provenance or update channels therefore deserves careful scrutiny.

For public authorities, the question is procurement due diligence. European institutions and national agencies increasingly worry about telecoms, cloud infrastructure and hardware supply chains, but smaller software tools can create comparable exposure. A password manager may be purchased as a productivity product while functioning in practice as a security-critical system.

OCCRP reported that the Russian-linked product had been certified by Russian security bodies and marketed to sanctioned defence manufacturers. That does not by itself establish wrongdoing by the European company. It does show why clients need more than assurances about where their own data are stored.

The stronger question is whether European procurement rules properly examine software development relationships, source-code control, update mechanisms and ownership history. A product can be hosted on a client’s servers yet still depend on external code, patches or vendor decisions.

The case also illustrates a wider cybersecurity problem. Many organisations focus on headline threats such as ransomware or state hacking, but supply-chain risk often begins with trusted tools. Once software is embedded inside an organisation, its updates and administrative privileges can become sensitive attack surfaces.

For European public-sector clients, the immediate response should be verification rather than panic: review contracts, audit update paths, check code provenance where possible, and ensure that credentials can be migrated if confidence in a supplier weakens.

Passwork’s denials and technical explanations should be assessed alongside the documentary and technical evidence reported by OCCRP. The public-interest issue is clear: security software used in Europe should face a level of scrutiny proportionate to the access it protects.

You may also like

EU Today brings you the latest news and commentary from across the EU and beyond.

Editors' Picks

Latest Posts