The European Commission is attempting to manage the fallout of last week’s massive data breach. It’s already admitted the data theft, but now, the notorious ShinyHunters gang has posted more than 350GB of it on the dark web. Quite a few cyber pros are calling the attack “catastrophic.”

This Monday, nine members of the European Parliament are travelling to China. And because Europe claims to care so much about security regulations, they’re only bringing burner phones, having been told to leave personal devices at home.

Obviously, concerns over Chinese cyberespionage are valid: Chinese hacking groups, mostly state-backed, have been relentlessly attacking European institutions and the private sector in recent years.

But sometimes, one doesn’t need to travel anywhere to have their data intercepted. Last week, the infamous data extortion group ShinyHunters stole a massive dataset from the European Commission and has already posted the data on the dark web.

According to experts, the breach is almost undoubtedly huge, and the implications for the Commission could be “catastrophic.”

Troves of stolen data

Last Friday, the Commission admitted it had detected a cyberattack which “affected cloud infrastructure hosting the Commission’s web presence on the Europa.eu platform” but said it took immediate steps to contain the incident.

The Commission also said its internal systems weren’t affected by the attack, but in the statement, quietly suggested that “data has been taken.” Later, BleepingComputer reported that the Commission’s Amazon AWS accounts had been breached.

Indeed, the very next day, ShinyHunters added the European Commission entry to its leak site and released an archive of over 350GB of files allegedly stolen from the organization’s compromised cloud environment.

“Over 350GB of data was compromised, including data dumps of mail servers, databases, confidential documents, contracts, and much more sensitive material,” ShinyHunters said.

It looks like the leaked data includes emails and attachments, full SSO user directory, DKIM signing keys, AWS config snapshots, NextCloud/Athena data, and internal admin URLs.

“They claim to have data dumps of mail servers, which could in theory expose email conversations including attachments as well,” Cybernews researchers said.

“ID document pictures indicate that at least some part of the data is personally identifiable information that can be used for identity theft and social engineering if there is contact info available.”

If the breach poses a “high risk” to individuals, the Commission is legally required to inform them without undue delay.

Other experts are concerned that the compromise might be especially deep. According to Nick Tausek, Lead Security Automation Architect at Swimlane, the blast radius might go way beyond a single cloud admin account.

“Access to multiple databases in addition to Commission employee data and an internal email server opens the door to identity risk, operational disruption, and second-stage attacks like spearphishing,” he said.

We’ve reached out to the European Commission for further comment on the situation and will update this article once we receive a reply. If the breach poses a “high risk” to individuals, the Commission is legally required to inform them without undue delay.

Tighter regulation not working so far

An X user, z3n, who calls themselves a biohacker, thinks the breach is extremely worrying, saying that “DKIM signing keys and AWS config snapshots in the same breach is catastrophic.”

“With DKIM keys, ShinyHunters can forge emails that pass authentication from EU Commission domains – perfect for spear-phishing EU member states. And AWS configs mean they potentially had full infrastructure access,” they said.

There’s also a political angle. Since the data has already been released, the key intention is probably to visibly hurt the European Commission and cause it reputational damage.

“This incident can be used to frame the EC as an incompetent and insecure institution, especially since they are considered to be the leaders in setting security regulations,” Cybernews researchers also said.

Indeed, recent proposals to tighten EU cyber legislation and reduce dependence on high-risk suppliers have likely drawn more attention to the European Commission, putting the EU body directly in the crosshairs of cyberattackers.

But so far, it doesn’t seem that the European regulation of cybersecurity is a panacea against data breaches. In January, Commission networks were separately breached as well, exposing the data of staff.

Still, the use of American cloud vendors such as AWS will surely be scrutinized again, with some stakeholders promoting the EU’s digital sovereignty and “EU-made” cloud.

---

Unlock more exclusive Cybernews content on YouTube.