European Commission Cloud Infrastructure Breached; 350 GB of Data Allegedly Stolen
Learn More
The European Commission is investigating a cyberattack on March 24, 2026, that targeted its cloud infrastructure. The breach affected the Europa.eu platform, which hosts the Commission's web presence and various public-facing services. The Commission confirmed the incident and an unidentified threat actor claims to have stolen a significant volume of data from the organization's Amazon Web Services (AWS) environment.
The Commission stated that the attack was contained quickly and did not impact its internal systems.
Attackers gained access by compromising at least one account used to manage the Commission's cloud infrastructure on AWS. The threat actor provided screenshots to BleepingComputer as proof of access, showing they could reach staff data and an employee email server. The Commission's internal systems remain isolated but the attackers successfully navigated the cloud-hosted web infrastructure before the security team stopped the activity.
According to the threat actor's claims, the stolen data includes:
- Multiple databases containing web platform information
- Commission staff data
- Access logs or records from an employee email server
- Approximately 350 GB of total stolen files
The number of affected individuals is not disclose.
Officials stated that the incident did not disrupt the availability of the Europa websites and that internal systems were not affected. The Commission is currently notifying Union entities that may have been impacted by the breach.
Update - The ShinyHunters gang has claimed responsibility for the attack.
As of 2nd of April 2026, CERT-EU published an analysis of the incident. Apparently the breach root cause was the supply-chain compromise of Trivy, a widely used security scanning tool.
On March 19, 2026, a threat actor linked to the group TeamPCP exploited the compromised Trivy software to steal an AWS API key, which granted access to cloud accounts underpinning the Commission's "europa.eu" web hosting platform. The attacker used tools like TruffleHog to scan for additional credentials and conducted reconnaissance before the Commission's security operations team detected suspicious API activity and abnormal network traffic on March 24. The compromised credentials were revoked, and CERT-EU was notified the following day.
Approximately 91.7 GB of compressed data was stolen before containment, including personal information such as names, email addresses, and email content tied to as many as 71 clients of the Europa hosting service: 42 internal Commission departments and at least 29 other EU institutions.
On March 28, the extortion group ShinyHunters published the stolen dataset on their dark web leak site. Allegedly no websites were taken offline or tampered with, and no lateral movement to other AWS accounts has been confirmed.
CERT-EU is urging all organizations using Trivy to update immediately, rotate exposed AWS credentials, and audit their CI/CD pipelines for signs of compromise.
