European Commission Confirms Cyberattack on AWS Cloud Account as Hacker Claims 350 GB of Stolen Data
The EU's executive arm is investigating a breach of its Amazon Web Services account that exposed Europa.eu infrastructure, the second cloud incident to hit the institution in 2026.
Overview
The European Commission has confirmed a cyberattack targeting its Amazon Web Services cloud account, with a threat actor claiming to have exfiltrated more than 350 gigabytes of data including employee information and databases. The breach, detected on March 24, affected the cloud infrastructure hosting the Commission’s public web presence on the Europa.eu platform, according to BleepingComputer, which first reported the incident on March 27 after the threat actor contacted the outlet directly.
The Commission’s cybersecurity incident response team contained the attack and has begun notifying Union entities that may have been affected. Internal systems were not compromised, according to the Commission’s statement reported by Security Affairs.
What We Know
The attack specifically targeted the Commission’s AWS account that hosts its Europa.eu web presence. An AWS spokesperson told BleepingComputer that “AWS did not experience a security event, and our services operated as designed,” placing responsibility squarely on the customer’s account security rather than any platform-level vulnerability.
The unidentified threat actor provided BleepingComputer with screenshots purportedly showing access to employee data and an email server used by Commission staff. The actor claimed to have stolen over 350 GB of data, including multiple databases, though this figure has not been independently verified. The threat actor stated they do not plan to pursue extortion but may release the data publicly at a later date.
The attack vector appears to have involved compromised credentials rather than an exploit against AWS infrastructure itself, as reported by Security Affairs. Website availability on Europa.eu was maintained throughout the incident.
A Pattern of Incidents
The breach is the second cloud-related security incident to hit the European Commission this year. On January 30, the institution detected a separate attack targeting its mobile device management platform, which was linked to exploitation of Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities, according to BleepingComputer. That earlier incident, disclosed in February, also affected other European government bodies including the Dutch Data Protection Authority and Finland’s Valtori agency.
The credential-based intrusion pattern aligns with a broader trend documented by cybersecurity researchers. A previous investigation covered by The Machine Herald found a single threat actor behind 50 corporate breaches using stolen cloud credentials, underscoring how credential theft has become the primary vector for cloud environment compromises.
What We Don’t Know
The full scope of the data exfiltration remains unclear. The Commission has not confirmed the 350 GB figure cited by the threat actor, nor has it specified what types of data were accessed beyond the Europa.eu web infrastructure. It is also unknown whether any classified or sensitive policy documents were stored in the affected AWS environment.
The identity and motivation of the threat actor remain undisclosed. The Commission has not attributed the attack to any state-sponsored group or criminal organization. The investigation into the full extent of the intrusion is ongoing, as confirmed by TechCrunch.
Whether the March incident is connected to the January Ivanti EPMM exploitation has not been established. The two attacks used different vectors — credential compromise versus software vulnerability exploitation — but the proximity raises questions about the Commission’s overall cloud security posture that investigators will need to address.