The European Commission reveals hackers infiltrated its networks in early March – also admitting some data was stolen after attackers gained access to its AWS cloud environment.
Update – March 30th, 2026: The alleged hacking group behind the European Commission breach has now been identified as ShinyHunters, a known data extortion group. Read Cybernews’ full report on the group and the attack here.
-
The European Commission says hackers gained unauthorized access to its cloud infrastructure and stole data from websites hosted on the Europa.eu platform.
-
Officials say internal systems were not affected, but the attack hit at least one AWS account and the full scope is still being investigated.
-
The threat actor claims to have stolen more than 350GB of data and may still have access to a Commission email server.
“On 24 March, the European Commission discovered a cyber-attack, which affected its cloud infrastructure hosting the Commission's web presence on the Europa.eu platform,” the European Union’s executive body posted on its website Friday.
“Early findings of our ongoing investigation suggest that data have been taken from those websites,” it said, adding that “immediate steps were taken to contain the attack.”
Cloud systems breached
Tuesday’s cyberattack was said to “have affected at least one of the Commission's AWS (Amazon Web Services) accounts,” BleepingComputer first reported.
An Amazon spokesperson further relayed that the AWS cloud infrastructure itself was not compromised and that its “services operated as designed," the tech outlet said.
AWS also clarified to Cybernews on Monday that the incident involved the Commission’s cloud environment and that there is no evidence AWS infrastructure itself was compromised.
The Commission, which stressed that “internal systems were not affected by the cyber-attack,” said it is in the process of notifying the unnamed “Union entities” who might have been affected.
The EU’s executive arm is made up of 27 member states and currently employs about 32,000 civil servants.
The Commission says its swift response to the attack helped contain and mitigate any further damage to the systems, while protecting services and data without disrupting the availability of the Europa websites.
Has your password leaked?
However, the Commission also says it will continue to monitor the situation and is still investigating the full impact of the incident, promising to take “all necessary measures to ensure the security of its internal systems and data.”
Hackers claim 350GB stolen
The Commission did not reveal what data may have been taken, nor how much, but on Friday, BleepingComputer reported that a threat actor claiming responsibility for the attack contacted them earlier this week.
That threat actor has since been identified as the ShinyHunters. The seasoned hacker collective threat group claims it stole over 350 GB of data in the attack, including multiple databases, and plans to leak the data online at a later date, the report said.
The actor also apparently sent BleepingComputer several screenshots of stolen documents to prove their legitimacy and further claimed to retain access to an email server used by Commission employees, along with other employee data.
“If this compromise is as deep as the reported 350 GB haul suggests, the blast radius goes way beyond a single cloud admin account,” says Nick Tausek, Lead Security Automation Architect at Swimlane.
“Access to multiple databases in addition to Commission employee data and an internal email server opens the door to identity risk, operational disruption, and second-stage attacks like spearphishing,” he says.
Tausek also says that even though the attacker has claimed they will not attempt to extort the Commission for financial gain, “it does not make the attack less serious; it just changes the playbook.”
“A quiet leak can be just as damaging for trust, diplomacy, and ongoing investigations, and it forces defenders into a messy mix of containment, forensics, and communications while the organization is still determining what was breached and what is still exposed," he adds.
European Commission faces repeat threat
The breach fits an “uncomfortable pattern,” says Tausek, noting a separate breach of European Commission networks on January 30th.
First disclosed on February 9th and tied to the Commission’s mobile device management environment, the attack was reportedly “linked to Ivanti EPMM exploitation seen across other European institutions, indicating a potential trend line,” Tausek says.
The breach also affected Commission staff, resulting in unauthorized access to staff names and mobile phone numbers, although the employee devices themselves, similarly, were not compromised.
Recent proposals to tighten EU cyber legislation and reduce dependence on high-risk suppliers have likely drawn more attention to the European Commission, putting the EU body directly in the crosshairs of cyber attackers, Tausek says.
Still, Tausek warns that the Commission is a high-value target under constant pressure, and cybercriminals do not need a policy trigger to go hunting.
“Policy moves can raise the temperature, invite probing, and accelerate adversary interest in supply chain weak spots, especially where cloud, third-party tooling, and identity controls intersect,” Tausek explains.
Tausek says the lesson for every public sector team should be to treat cloud access like critical infrastructure, and stop relying on manual swivel-chair responses when the stakes are this high.
“Pull telemetry from your cloud and identity stack into a single workflow, auto-triage and enrich suspicious activity, and kick off containment actions like credential resets, token revocation, and access policy hardening in minutes, not days,” Tausek said.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked