CERT‑EU: European Commission hack exposes data of 30 EU entities

European Union cybersecurity authorities have released details of a major cloud breach that affected the European Commission’s cloud environment and, more broadly, exposed data from a number of union entities. The incident has been attributed to the TeamPCP threat group, and CERT-EU’s analysis indicates that the breach opened access to information across at least 29 other bodies within the European Union. The European Commission itself disclosed the breach on March 27 following inquiries from security press, with CERT-EU confirming that the organization’s Cybersecurity Operations Center did not become aware of API misuse, potential account compromise, or unusual network activity until March 24, five days after the initial intrusion.

The sequence of the attack began on March 10, when attackers leveraged a compromised Amazon Web Services API key that granted management rights over multiple EC2 and AWS accounts. The key was stolen in connection with the Trivy supply-chain incident that has previously been linked to wider credential theft in software development pipelines. Once inside the Commission’s AWS environment, the attackers used TruffleHog to search for additional credentials and sensitive information, attaching a newly created access key to an existing user account in an effort to fly under the radar while conducting reconnaissance and data exfiltration. This multi-stage approach illustrates how an initial foothold can be expanded by exploiting cloud credentials and then disguising subsequent activity to evade detection.

The broader attribution of TeamPCP is consistent with a pattern of targeting developer ecosystems and software supply chains. The group has been connected to attacks on prominent platforms and repositories, including well-known package indices and code hosting services. In this case, the attackers’ methods align with their history of exploiting cloud credentials and abusing trusted software supply chains to widen access and maximize impact. The incident sits within a wider context of clusters of activity that have repeatedly targeted tooling and dependencies used by developers, a pattern that makes cloud environments particularly attractive to this threat group.

Meanwhile, data published by a separate extortion operation added another layer of impact. On March 28, the ShinyHunters group released a 90-gigabyte archive of the stolen dataset on its dark web infrastructure, with the material reportedly comprising tens of thousands of files and a large swath of personal information. CERT-EU’s ongoing analysis confirms that the attackers obtained tens of thousands of files containing personal data, usernames, and email addresses, with the data linked to websites hosted for a substantial number of clients of the Europa hosting service. The breach is described as affecting 42 internal European Commission clients and at least 29 other Union entities that rely on europa.eu hosting services.

Initial descriptions of the data exfiltrated point to a substantial volume of outbound communications data. The published dataset includes at least 51,992 files associated with outbound email communications, totaling about 2.22 gigabytes. While most of these messages are automated notifications with little substantive content, certain bounce-back messages—the replies generated in response to user-sent emails—could reveal the original user-submitted content. This creates a heightened risk of exposure for personal data contained in user communications, even when the primary content of automated notices appears minimal.

Certainty about the exact scope of affected entities remains a work in progress, but early assessments indicate the breach touches 42 internal European Commission clients alongside the 29 additional Union bodies that rely on the europa.eu web hosting infrastructure. Importantly, CERT-EU noted that no websites were taken offline or tampered with as part of the incident, and there was no evidence of lateral movement into other Commission AWS accounts during the observation window. The investigation into the full extent of exfiltrated databases and files is expected to require a considerable amount of time, as authorities and the Commission coordinate with data protection authorities and directly with potentially affected entities to manage remediation and notification.

This incident follows another European Commission data breach disclosed in February, in which a mobile device management platform used to oversee personnel devices was compromised. Taken together, these events underscore the persistent vulnerability of cloud-based assets and the importance of safeguarding credentials and supply-chain integrity in a landscape where attackers routinely pivot from initial access to broader data exfiltration across multiple domains. As investigations continue, the Commission and CERT-EU are working with data protection authorities and affected parties to determine exact exposure levels and to implement measures intended to prevent similar incidents in the future.