On March 24, 2026, the European Commission detected unauthorized access to the Amazon Web Services cloud environment hosting its public-facing Europa.eu websites. The threat actor claims to have taken over 350 GB of data, has provided screenshots as proof of access, and has announced plans to publish the data rather than demand a ransom. Internal Commission systems were not affected. The investigation is ongoing.
The European Commission is one of the most politically significant technology targets on the continent. It manages EU-wide policy, coordinates digital regulation across member states, and in January 2026 had just proposed a new Cybersecurity Package designed to harden the bloc against state-backed intrusions and critical infrastructure attacks. Within weeks of that proposal being published, attackers were already inside the Commission's cloud.
What Happened
The intrusion was detected on March 24, 2026. Commission spokesperson Thomas Regnier confirmed the incident publicly on March 27, stating that the attack "affected part of our cloud infrastructure" and that immediate containment steps had been taken. A formal statement published on the Commission's website described the breach as targeting "its cloud infrastructure hosting the Commission's web presence on the Europa.eu platform."
Early forensic findings confirmed that data was taken from the affected websites. The Commission stated that internal systems remained entirely unaffected and that the Europa websites continued operating without downtime throughout the incident. Officials said they were still working to determine the full technical scope of the compromise.
"We have taken immediate steps and contained the attack. Risk mitigation measures were also implemented. The investigation is ongoing but we can already confirm that the Commission's internal systems were not affected by the cyber-attack." — European Commission spokesperson Nika Blazevic, via TechCrunch, March 27, 2026
The strict network segmentation between the public-facing AWS environment and the Commission's core administrative infrastructure appears to have prevented lateral movement. Security teams isolated the affected cloud environment and moved to revoke the access paths used by the attacker.
How Did the Attacker Get In?
The Commission has not confirmed the initial access vector, and official statements are deliberately narrow at this stage of the investigation. But the field of realistic possibilities is not large. Cloud account breaches that originate at the IAM layer typically trace back to one of four routes: a phishing attack that captured administrator credentials, credential stuffing using data from a prior breach of a related account, exposure of a long-lived AWS access key in source code or a misconfigured repository, or — less commonly — a compromised endpoint belonging to someone with cloud management access.
Phishing remains the statistically dominant entry point for cloud account takeovers targeting government bodies, and it fits the timeline here. The breach was detected on March 24 and disclosed publicly on March 27 — a three-day gap that suggests rapid detection rather than a prolonged dwell period. If the attacker had used an access key that had been sitting exposed for weeks or months, defenders would likely have seen earlier anomalies in CloudTrail logs. A credential stolen through phishing and used immediately is consistent with both the speed of detection and the scale of the claimed exfiltration.
The credential-stuffing scenario is also credible given that the January 2026 MDM breach exposed staff names and mobile numbers. While phone numbers alone do not directly enable cloud authentication, a spear-phishing campaign built from that data — targeting the specific individuals who manage the Commission's AWS accounts — would carry significantly higher success rates than a generic attack. The January breach, in other words, may have served as reconnaissance for the March one. Officials have not confirmed or denied any connection between the two incidents.
A forensic investigation will examine CloudTrail logs for the originating IP, the user agent of the authenticating session, the geolocation and ASN of the request, and whether MFA was bypassed or simply not enforced on the compromised account. Until those findings are released — if they ever are — the access vector remains officially unconfirmed.
What Was Taken
The threat actor reached out directly to BleepingComputer before the Commission made any public statement, claiming to have exfiltrated more than 350 GB of data from the Commission's AWS environment. The data allegedly includes multiple databases and internal files. Screenshots provided to the publication appeared to show access to information belonging to European Commission employees and to an email server used by Commission staff.
The Commission's own statement confirmed that early investigation findings suggest data was taken from the affected websites, but did not specify what categories of data were involved or confirm the volume claimed by the attacker. Officials committed to notifying specific EU bodies that may be affected by the exposure, signaling that the stolen data may contain information relevant to other institutions beyond the Commission itself.
Critically, the attacker stated they have no intention of demanding a ransom. Instead, they indicated they plan to release the stolen data publicly at a later date. This is a pattern associated with hacktivism and certain nation-state-aligned campaigns, where the goal is reputational damage or diplomatic signaling rather than financial gain. The threat actor also told BleepingComputer they may still retain access to a Commission email server, though officials have not confirmed or denied this claim.
The attacker's decision to contact a cybersecurity publication before the Commission made any disclosure is consistent with pressure-campaign tradecraft. The public release of screenshots ahead of an official statement is designed to force the target into a reactive posture, accelerating reputational harm before containment messaging can be prepared.
AWS Was Not the Breach Point
Amazon issued a clear statement in response to reporting on the incident: "AWS did not experience a security event, and our services operated as designed." This distinction matters and is frequently misunderstood in cloud breach reporting. The Commission's environment on AWS was compromised — not Amazon's underlying infrastructure.
Early assessments from security researchers suggest the breach originated in the identity and access management layer of the Commission's cloud environment rather than through an unpatched vulnerability in an AWS service. In cloud architectures, IAM is the control plane — it determines who can authenticate, what they can access, and which administrative actions are permitted. A single compromised IAM credential with sufficient privileges can grant sweeping access to stored data, configuration files, and connected services without triggering conventional intrusion detection signals.
"The reality is, identity access management is hard, and not just in AWS. It's the same challenge with all infrastructure. How do we guarantee the authorized person has legitimate access? It only takes one mistake." — Kellman Meghu, CTO at DeepCove Cybersecurity, via CSO Online
Meghu noted that his own practice enforces AWS Identity Center sign-on rather than IAM-generated static keys, and uses a "break glass" strategy for administrative accounts — requiring two-person authorization via credentials and hardware tokens for root access, with the account stored outside AWS entirely. This architecture generates alerts for any access attempt, authorized or not.
This is the same principle behind the token-based attacks that have bypassed MFA at scale in enterprise Microsoft environments — when access control is compromised at the authentication layer, perimeter defenses and encryption become largely irrelevant. The data is accessible to whoever holds valid credentials, regardless of how those credentials were obtained.
The Shared-Responsibility Problem
Amazon's statement — "AWS did not experience a security event, and our services operated as designed" — is technically accurate and legally important. It is also, in a practical sense, beside the point for every government organisation running workloads on public cloud infrastructure. The shared-responsibility model that governs cloud security agreements divides obligations cleanly on paper: the provider secures the hardware, the hypervisor, the physical facilities, and the underlying network. The customer secures everything above that line — the operating systems, applications, data, identity configuration, and access controls.
What the European Commission breach illustrates is that the customer side of that line is enormous, complex, and increasingly the primary attack surface. AWS performed exactly as contracted. The Commission's account-level controls did not. From the attacker's perspective, there was no need to go anywhere near Amazon's infrastructure — the keys to the data were sitting at the identity layer, and the identity layer was the customer's responsibility.
This is not a critique of cloud computing or of AWS specifically. The same dynamic applies to every major cloud platform. What it does mean is that public-sector organisations cannot treat "we use AWS" as a security posture. The platform's security certifications — FedRAMP, ISO 27001, SOC 2 — describe what Amazon does. They say nothing about the security of a given customer's identity configuration, key management practices, or access policies. For an institution of the Commission's political significance and data sensitivity, those customer-side controls need to be held to the same standard as the underlying infrastructure.
A Pattern of Attacks on EU Institutions
This is the second confirmed breach of European Commission systems in 2026. The first, detected on January 30 and publicly disclosed on February 9, targeted the Commission's central mobile device management infrastructure. CERT-EU, the cybersecurity team protecting EU institutions and agencies, contained that intrusion and cleaned the affected system within nine hours. The Commission said the incident may have exposed staff names and mobile phone numbers for some employees. No mobile devices themselves were compromised.
That January breach was not an isolated incident. The Dutch Data Protection Authority and the Council for the Judiciary confirmed around the same time that their systems had been accessed via two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile: CVE-2026-1281 and CVE-2026-1340, both rated CVSS 9.8. These are unauthenticated command injection flaws that allow an attacker to execute arbitrary code on affected servers without any valid credentials. Finland's Valtori — a government ICT center serving agencies under the Ministry of Finance — also confirmed a breach around the same time, with up to 50,000 government workers potentially affected.
The exploitation campaign did not stop at initial access. Researchers at Defused Cyber identified a dormant Java class loader being deployed to compromised EPMM instances at the path /mifs/403.jsp — a webshell that requires a specific trigger parameter to activate and shows characteristics consistent with initial access broker tradecraft. The Shadowserver Foundation found more than 50 likely-compromised EPMM servers in the immediate aftermath of disclosure. NCSC-NL advised all organizations running Ivanti EPMM to treat their systems as compromised regardless of patch status, because threat actors had been observed removing traces of exploitation after the fact.
The March AWS breach has not been attributed to the same campaign. The attack vectors appear different. But the two incidents together describe a sustained period of targeting against EU infrastructure — one hitting mobile management through a specific software vulnerability, the other targeting cloud account-level access controls.
"A quiet leak can be just as damaging for trust, diplomacy, and ongoing investigations, and it forces defenders into a messy mix of containment, forensics, and communications while the organization is still determining what was breached and what is still exposed." — Security analyst quoted by Cybernews
This environment of sustained pressure is precisely what the Commission's January 2026 Cybersecurity Package was designed to address. That legislation proposed new frameworks for managing high-risk suppliers in telecom supply chains and strengthening incident response coordination across member states. The Council of the EU also sanctioned three Chinese and Iranian companies in March 2026 for orchestrating attacks against critical infrastructure of EU member states. The political backdrop is not incidental to the threat landscape — it almost certainly shapes it.
Why Cloud IAM Is the New Attack Surface
The European Commission breach — assuming the IAM-layer hypothesis holds — is consistent with a broader shift in how sophisticated attackers approach cloud environments. Where legacy attacks prioritized exploiting application vulnerabilities or pivoting through exposed services, the current pattern involves targeting the administrative controls that govern cloud access itself.
This is not unique to AWS. The same risk exists in Azure Entra ID, Google Cloud IAM, and any managed cloud platform where credentials, roles, and policies are centrally administered. A compromised service account with broad read permissions, a leaked long-lived access key, or a phished administrator credential can expose the same data as a full server compromise — in some cases more, because it bypasses host-based detection entirely.
Organizations running cloud workloads for government functions need to treat identity infrastructure as frontline attack surface, not as a configuration concern managed separately from the threat model. That means enforcing least-privilege access policies, using short-lived credentials where possible, enabling CloudTrail or equivalent audit logging with alerting on anomalous API calls, and maintaining hardware-backed multi-factor authentication for all accounts with data access.
AWS Organizations allows accounts to be separated into isolated units so that a compromise in one account cannot directly propagate to others. Using AWS Identity Center for sign-on eliminates long-lived IAM keys. Service control policies (SCPs) at the organization level can restrict data movement even from privileged accounts, providing a defense-in-depth layer against insider misuse and credential theft alike.
The Commission noted in its post-breach statement that forensic findings would be applied to harden its cloud architecture. That process typically involves reconstructing the full timeline of the intrusion, identifying how initial access was obtained, reviewing IAM policy configurations, rotating all potentially exposed credentials, and auditing access logs for evidence of persistence mechanisms or secondary tooling left behind by the attacker.
GDPR Obligations and the Regulator That Got Breached
There is an acute irony embedded in this incident that has received less attention than it deserves. The European Commission is the institution responsible for proposing, enforcing, and shaping the General Data Protection Regulation — the legislation that imposes strict data breach notification and security obligations on organisations processing EU residents' personal data. The Commission is not exempt from those obligations. It is subject to a parallel framework — Regulation 2018/1725 — which applies GDPR-equivalent standards to EU institutions, bodies, and agencies. The supervisory body for that framework is the European Data Protection Supervisor.
Under that regulation, the Commission is required to notify the European Data Protection Supervisor of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to individuals' rights and freedoms, those individuals must also be notified directly. The Commission has said it will notify specific EU bodies that may be affected by the exposure — which suggests personal data for individuals beyond Commission staff may be involved — but has not yet disclosed whether a formal notification to the EDPS has been filed or what categories of personal data were confirmed compromised.
This matters beyond procedural compliance. The Commission has levied significant fines against private-sector organisations for inadequate breach response under GDPR. A breach of the Commission's own cloud environment, combined with a delayed or incomplete notification to its own supervisory authority, would draw scrutiny that no amount of political framing can easily deflect. The institution's credibility as a data protection regulator is partly measured by how it behaves when it is the one that got hit.
When the Data Is Actually Published
The article ends at the point where the threat has been made. But the downstream consequences of an actual publication deserve serious consideration, because the Commission's exposure does not end at containment — it begins a second phase when the data drops.
Three hundred and fifty gigabytes is a large dataset. Even if only a fraction of it contains personally identifiable information or operationally sensitive material, a public release creates an immediate targeting environment for every actor with an interest in EU affairs. Staff whose names, contact details, or internal communications appear in the dump become candidates for spear-phishing, vishing, and social engineering campaigns. Commission officials involved in active regulatory proceedings — antitrust investigations, AI Act enforcement, digital market negotiations — become targets for intelligence collection from parties on the other side of those proceedings.
The stated retention of email server access adds a further dimension. An active email server foothold would give an attacker visibility into ongoing correspondence — the kind of operational intelligence that benefits both nation-state collection programs and commercial actors in adversarial negotiations with EU regulators. The Commission has not confirmed whether that access has been revoked. Until it is confirmed gone, every sensitive communication that passes through an affected server is potentially compromised.
For institutions that receive communications from the Commission — EU member state governments, regulatory bodies, major technology companies under investigation — the practical question is whether their own defences are sufficient to handle an adversary who arrives equipped with authentic Commission email headers, staff names, and internal context harvested from a 350 GB archive.
Attribution and Motivation
No threat actor has claimed formal responsibility. The attacker communicated with BleepingComputer directly but did not identify themselves or affiliate with a known group. Attribution in cloud identity breaches is harder than in malware-based intrusions because there are fewer technical artifacts — no binary to analyze, no C2 infrastructure to track, no distinctive TTPs embedded in exploit code.
Security experts have offered two primary assessments. Ilia Kolochenko, CEO of ImmuniWeb, told CSO Online that given the attacker's stated intent to publish rather than extort, "the attackers behind are either hacktivists or cyber mercenaries hired by a nation state." He added that in the current geopolitical environment, politically motivated attacks with destructive consequences are likely to increase throughout 2026.
The timing aligns with that analysis. The European Commission had recently proposed stricter cybersecurity legislation targeting high-risk suppliers, particularly in telecom infrastructure. The Council of the EU had just sanctioned Chinese and Iranian companies for infrastructure attacks. The Commission is directly involved in regulating technology companies with significant national-security implications — including cloud providers, AI systems, and critical infrastructure operators. All of these activities make the institution a high-value target for actors seeking reputational damage, intelligence collection, or diplomatic leverage.
The absence of a ransom demand is a significant behavioral signal. Ransomware groups and financially motivated actors almost universally demand payment. When an attacker takes data, demonstrates access, and threatens publication without asking for anything in return, the goal is almost always pressure — on the institution, on its partners, or on the political processes that institution influences. This is the same calculus seen in recent attacks targeting cloud-hosted government data across Europe.
What Public-Sector Cloud Operators Should Do Now
The European Commission breach is not an isolated failure of one institution's security team. It is a signal about the current threat level targeting EU public-sector cloud infrastructure. Any government body, regulatory agency, or intergovernmental organisation running workloads on AWS, Azure, or Google Cloud should treat this incident as a prompt for immediate posture review, not as someone else's problem.
The highest-priority actions resolve around identity. Audit every IAM user, role, and service account in your cloud environment for accounts with permissions that exceed what they demonstrably need. Long-lived access keys — particularly those created years ago and never rotated — are the credential-theft equivalent of a door left unlocked. Enumerate them, evaluate whether they are still needed, and replace them with short-lived credentials or instance profile roles where possible. Any account with the ability to read from databases, access S3 buckets containing sensitive data, or invoke administrative APIs should require hardware-backed MFA at minimum. Root account access should follow a break-glass protocol: stored outside the cloud environment, requiring multiple-person authorisation, and generating an immediate alert on any access attempt.
On the detection side, CloudTrail (or its equivalent in other cloud platforms) should be shipping logs to a SIEM with alerting on anomalous API calls — unusual GetObject volume, API calls from new geographies or ASNs, role assumption chains that do not match established baselines, and administrative actions executed outside of business hours. If your current setup cannot alert on an IAM credential being used from a datacenter IP at 3am to query ten thousand database records, it is not sufficient for a government-grade threat environment.
Network architecture matters too. The Commission's containment was aided by segmentation between its public-facing AWS environment and its internal systems. Organisations that have not drawn a clear architectural boundary between their public-cloud presence and their core networks are one compromised IAM credential away from a lateral-movement scenario far more damaging than what happened here.
Frequently Asked Questions
Attackers compromised the European Commission's Amazon Web Services cloud environment, which hosts the Commission's public web presence on the Europa.eu platform. At least one AWS account used to manage that cloud infrastructure was compromised. Internal Commission systems were confirmed unaffected.
The breach was discovered on March 24, 2026. The Commission publicly confirmed the incident on March 27, 2026, following a report by BleepingComputer.
The threat actor claimed to have exfiltrated over 350 GB of data, including multiple databases and internal files. Screenshots provided to BleepingComputer appeared to show access to employee information and an email server used by Commission staff. The Commission has not independently confirmed the volume.
No ransom was demanded. The threat actor communicated directly with BleepingComputer and stated they do not intend to extort the Commission, but plan to publish the stolen data online at a later date.
No. Amazon stated that AWS did not experience a security event and that its services operated as designed. The breach targeted the Commission's customer-side cloud account, not Amazon's underlying infrastructure.
The two incidents are separate. The January 2026 breach targeted the Commission's mobile device management platform and was linked to Ivanti EPMM zero-day vulnerabilities CVE-2026-1281 and CVE-2026-1340. The March 2026 breach targeted an AWS cloud account. Security researchers note the combined pattern suggests a sustained campaign targeting EU institutions.
Attribution has not been confirmed publicly. Security experts from firms including ImmuniWeb have assessed that the attackers are likely hacktivists or cyber mercenaries working on behalf of a nation-state, given the intent to publish rather than extort and the geopolitical timing of the attack.
The official attack vector has not been confirmed. The most probable routes are: a phishing attack that captured AWS administrator credentials, credential stuffing using data from a prior breach (potentially including the January 2026 MDM breach that exposed staff names and mobile numbers), or a long-lived access key exposed through a misconfigured system or repository. Phishing is the statistically dominant entry point for cloud account takeovers targeting government institutions.
The Commission is subject to Regulation 2018/1725, which applies GDPR-equivalent data protection obligations to EU institutions and bodies. It requires notification of personal data breaches to the European Data Protection Supervisor within 72 hours where feasible, and direct notification to affected individuals where there is high risk to their rights and freedoms. The Commission has not yet disclosed whether a formal notification to the EDPS has been filed.
A public release of 350 GB of Commission data would create an immediate targeting environment for any actor with an interest in EU affairs. Staff identified in the data become candidates for spear-phishing and social engineering. Officials involved in active regulatory proceedings — antitrust, AI Act enforcement, digital market negotiations — become intelligence collection targets. If the attacker retains email server access as claimed, communications through that server may already be compromised, enabling impersonation attacks against institutions that receive correspondence from the Commission.
Key Takeaways
- The breach hit cloud infrastructure, not core systems: The Commission's AWS environment hosting Europa.eu websites was compromised. Internal administrative systems and core networks were isolated and unaffected, limiting the operational impact even as the data exposure risk remains unresolved.
- The attack vector is unconfirmed but the probable field is narrow: IAM-layer compromises typically trace to phishing, credential stuffing, or an exposed long-lived access key. The January 2026 MDM breach — which leaked staff names and mobile numbers — may have served as targeting intelligence for whoever executed the March attack.
- AWS performed as contracted. The shared-responsibility line held at the wrong place: The provider's infrastructure was not touched. That is the expected outcome. It does not mean cloud is secure by default — it means the customer's identity controls are now the primary attack surface, and they carry full responsibility for everything above the infrastructure layer.
- The Commission has GDPR-equivalent notification obligations it must now fulfill: Regulation 2018/1725 requires timely notification to the European Data Protection Supervisor and, where individuals face high risk, direct notification to those affected. How the Commission handles its own breach obligations will be watched closely by the organisations it regulates.
- No ransom means the threat does not end at containment: The attacker's stated goal is publication. When the data drops, it creates a secondary targeting environment — for spear-phishing against identified staff, for intelligence collection against officials in active regulatory proceedings, and potentially for impersonation if email server access is retained.
- The pattern is not random: Two Commission breaches in two months, set against a backdrop of sanctioned adversaries and new cybersecurity legislation, describes a sustained targeting campaign. EU institutions should treat the current period as one of elevated, persistent threat activity requiring posture review across identity, cloud access, and network segmentation.
The investigation into the March 24 breach remains active. The Commission has committed to applying forensic findings to improve its cloud architecture, and to notifying affected EU bodies as the scope of exposed data becomes clearer. The threat actor's stated intent to publish means the incident enters a second, harder-to-manage phase — one where the Commission's options narrow and the downstream consequences depend entirely on what is in those 350 gigabytes.