The European Commission confirmed a breach of its cloud environment on March 27, 2026. A threat actor claims to have stolen over 350 GB of data from the Europa.eu platform, including multiple databases. This is the Commission's second breach in 56 days.
Detection came on March 24. Internal systems were not affected. "We have taken immediate steps and contained the attack. Risk mitigation measures were also implemented. The investigation is ongoing but we can already confirm that the Commission's internal systems were not affected by the cyber-attack," a Commission spokesperson stated.
Commission investigators believe data was taken. "Early findings suggest that data have been taken from those websites," the Commission stated on its website. Unnamed "Union entities" are being notified. The Commission said forensic findings will be "directly applied to harden its cloud architecture."
AWS itself was not breached. "AWS did not experience a security event, and our services operated as designed," an AWS spokesperson stated.
The threat actor provided screenshots as proof earlier that week. The images showed employee records and a Commission email server. The attacker did not explain how they gained entry and made no ransom demand. They plan to publish the data online.
This does sound bad. This is why I force all my users to use AWS Identity Center sign on. No IAM-generated keys, and admin accounts are only activated through a 'break glass' strategy, where two people are needed to authenticate.
— Kellman Meghu, CTO, DeepCove Cybersecurity
Strict segmentation between the public-facing AWS tier and the Commission's internal networks blocked lateral movement. Europa.eu handles institutional pages, policy documents, and public databases. The Commission's email and classified systems sit on separate infrastructure.
If this compromise is as deep as the reported 350 GB haul suggests, the blast radius goes way beyond a single cloud admin account.
— Nick Tausek, Lead Security Automation Architect, Swimlane
On January 30, the Commission disclosed a separate incident. Attackers exploited two Ivanti EPMM zero-days (CVE-2026-1281 and CVE-2026-1340, both CVSS 9.8) to penetrate the mobile device management platform. Both are code-injection flaws allowing unauthenticated remote code execution. Ivanti had disclosed them just one day earlier, on January 29.
CERT-EU contained that breach within nine hours. Staff names and mobile numbers were exposed, but the mobile devices themselves were not compromised.
Those same Ivanti flaws hit three other European institutions. The Dutch Data Protection Authority, the Dutch Council for the Judiciary, and Finland's Valtori all reported breaches. Up to 50,000 Finnish civil servants had data exposed.
Shadowserver found over 50 EPMM servers likely breached in those attacks. Researchers observed initial access broker tradecraft in the Ivanti campaign. Attackers uploaded a dormant Java class loader web shell, designed to activate later with a specific trigger. No follow-on exploitation was observed at the time of reporting.
Two vectors, two layers, 56 days apart. Not a persistent compromise but repeated targeting from multiple angles against the EU's executive body.
350 GB from Europa.eu combined with staff names and phone numbers from the January Ivanti breach creates a targeting dataset for phishing and impersonation campaigns against 32,000 Commission employees. Segmentation held both times, but the web and MDM layers are now intelligence sources for any actor planning the next attempt.
The attacker's decision to leak rather than extort suggests hacktivist or state-sponsored motivation. The EU Council recently sanctioned Chinese and Iranian companies for cyberattacks against member states. The Commission itself proposed new cybersecurity legislation on January 20. The breach may fuel calls for "EU-made" cloud providers, though analysts doubt this would materially improve security.
For organizations on AWS, the practical takeaway from DeepCove's Meghu is concrete. Enforce AWS Identity Center for all logins, eliminate IAM-generated keys, and require two-person authorization for root accounts. Under AWS's shared responsibility model, account-level access controls are the customer's obligation.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
