European Commission Probes Breach of Amazon Cloud Environment
The European Commission is investigating a breach after a threat actor gained unauthorized access to its Amazon cloud infrastructure and at least one account used to manage that environment. According to reports, the intrusion was detected quickly by the Commission’s cybersecurity incident response team, but the actor claims to have exfiltrated more than 350 GB of data, including multiple databases. Screenshots shared with reporters allegedly show access to European Commission employee information and an email server used by staff.
The actor reportedly said they do not intend to extort the Commission and instead plan to leak the stolen data later. The incident adds to a recent string of security problems at European institutions: the Commission had already disclosed a separate breach tied to a compromised mobile device management platform, apparently linked to exploitation of Ivanti Endpoint Manager Mobile code-injection vulnerabilities that affected other organizations in the region as well.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
CERT-EU attributes Commission AWS breach to TeamPCP
CERT-EU said the European Commission's AWS cloud breach was carried out by TeamPCP, which used a compromised AWS API key stolen in the Trivy supply-chain attack to access the environment on March 10. CERT-EU also said the incident potentially exposed data from 42 internal Commission clients and at least 29 other EU entities using the europa.eu hosting service.
ShinyHunters posts European Commission data on leak site
After claiming the Europa.eu breach, ShinyHunters added the European Commission to its leak site and released an archive of more than 90 GB of allegedly stolen files. The group said the material included mail server dumps, databases, confidential documents, and contracts.
European Commission says website data may have been taken
The European Commission said early findings from its investigation indicate some data may have been exfiltrated from the cloud infrastructure hosting Europa.eu websites. It also said potentially affected EU entities are being notified while the investigation continues.
European Commission confirms cloud cyberattack affecting Europa web platform
The European Commission publicly confirmed a cyberattack affecting part of its cloud infrastructure, specifically systems hosting its Europa.eu web presence. It said internal systems were not affected, that containment and risk mitigation measures were taken immediately, and that the investigation was ongoing.
European Commission launches investigation into Amazon cloud breach
The European Commission's cybersecurity incident response team detected the Amazon cloud intrusion quickly and began investigating the breach. The threat actor said they did not plan to extort the Commission and instead intended to leak the allegedly stolen data later.
Threat actor gains access to European Commission Amazon cloud environment
A threat actor obtained unauthorized access to the European Commission's Amazon cloud infrastructure and at least one account used to manage that environment. The actor later claimed to have stolen more than 350 GB of data, including databases, employee information, and access to a staff email server.
European Commission discovers cyberattack on Europa web platform
The European Commission said it discovered a cyberattack on 24 March affecting the cloud infrastructure hosting its Europa.eu web presence. It took immediate containment and mitigation measures, kept the websites available, and initially found no impact on internal systems.
European Commission discloses earlier Ivanti-linked breach
In February, the European Commission disclosed a separate breach tied to the January 30 compromise of its mobile device management platform. Reporting indicated the incident was part of wider exploitation affecting other European institutions.
European Commission discovers compromise in mobile device management platform
The European Commission discovered a compromise affecting a mobile device management platform on January 30. This incident was later linked to broader attacks on European institutions exploiting code-injection vulnerabilities in Ivanti Endpoint Manager Mobile.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
33 references tracked. Mallory keeps watching after this page renders.
Perpetrators Of Massive European Union Breach Identified
cybersecurityintelligence.com
Open sourceDu piratage de Trivy à celui de la Commission européenne, autopsi ...
zdnet.fr
Open sourceEuropean Commission breached after hackers poisoned open-source security tool Trivy
thenextweb.com
Open sourceEuropean Commission breach exposed data of 30 EU entities, CERT-EU says
securityaffairs.com
Open sourceEuropean Commission investigating breach after Amazon cloud hack
bleepingcomputer.com
Open sourceEuropean Commission confirms cyberattack after hackers claim data breach | TechCrunch
techcrunch.com
Open sourceEuropean Commission investigating breach after Amazon cloud account hack
bleepingcomputer.com
Open sourceCommission responds to cyber-attack on its Europa web platform - Infosec.Pub
infosec.pub
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
European Commission Confirms AWS-Hosted Cloud Breach and Data Theft
The European Commission disclosed a cyberattack affecting cloud infrastructure used to host websites on the `Europa.eu` platform, saying early findings indicate data was stolen from at least one AWS account in its environment. The Commission said it detected the incident on March 24 and took immediate containment measures, while stressing that its internal systems were not compromised and that AWS infrastructure itself was unaffected. It is notifying potentially affected Union entities and continues to investigate the scope and impact of the breach. Subsequent reporting linked the intrusion to **ShinyHunters**, which allegedly claimed to have taken more than **350GB** of data, including databases, and to still have access to a Commission email server. The cloud breach followed another security incident reported earlier in the year involving European Commission staff mobile devices and a mobile device management environment, with that separate intrusion reportedly associated with exploitation of **Ivanti EPMM**. Together, the incidents have intensified scrutiny of the Commission’s security posture across both cloud-hosted services and employee device management systems.
May 27, 2026
European Institutions Breached via Ivanti Endpoint Manager Mobile Vulnerabilities
The **European Commission** disclosed it is investigating a breach after detecting traces of an attack against its central **mobile device management (MDM)** infrastructure used to administer staff mobile devices. The Commission said the incident was contained and the system cleaned within **nine hours**, and it has not found evidence that managed mobile devices themselves were compromised; however, attackers may have accessed limited staff personal data such as **names and mobile phone numbers**. The activity appears consistent with a broader set of intrusions affecting European public-sector bodies tied to vulnerabilities in **Ivanti Endpoint Manager Mobile (EPMM)**. Dutch authorities reported that the **Dutch Data Protection Authority** and the **Council for the Judiciary/Justice** experienced nearly identical breaches in which unauthorized parties exploited an Ivanti EPMM software flaw to access employee data, including **names, email addresses, and phone numbers**, suggesting a shared exploitation vector across multiple European institutions’ MDM deployments.
Mar 21, 2026
European Space Agency Data Breach via Compromised External Servers
The European Space Agency (ESA) confirmed a data breach after a threat actor claimed to have accessed and exfiltrated over 200 GB of sensitive data from external servers. The attacker, using the alias "888," advertised the stolen data for sale on BreachForums, providing screenshots as proof and claiming to have obtained source code, confidential documents, credentials, API tokens, configuration files, and a dump of private Bitbucket repositories. ESA stated that the incident affected only a small number of external servers used for unclassified engineering and scientific collaboration, and emphasized that the breach did not impact its core corporate network. The agency has initiated a forensic investigation, implemented containment measures, and notified relevant stakeholders, while continuing to assess the full scope of the compromise. The breach was first detected when the attacker announced the sale of the data on December 18, 2025, and maintained access to the compromised servers for about a week. ESA has publicly acknowledged the incident and is providing updates as the investigation progresses. The organization has reassured the public that the affected servers were not part of its main infrastructure and that the impact appears limited, though the full extent of the data exposure is still under review. The incident highlights ongoing threats to scientific and engineering organizations from cybercriminals seeking to monetize stolen intellectual property and sensitive information.
Mar 21, 2026