European Commission Confirms AWS-Hosted Cloud Breach and Data Theft
The European Commission disclosed a cyberattack affecting cloud infrastructure used to host websites on the Europa.eu platform, saying early findings indicate data was stolen from at least one AWS account in its environment. The Commission said it detected the incident on March 24 and took immediate containment measures, while stressing that its internal systems were not compromised and that AWS infrastructure itself was unaffected. It is notifying potentially affected Union entities and continues to investigate the scope and impact of the breach.
Subsequent reporting linked the intrusion to ShinyHunters, which allegedly claimed to have taken more than 350GB of data, including databases, and to still have access to a Commission email server. The cloud breach followed another security incident reported earlier in the year involving European Commission staff mobile devices and a mobile device management environment, with that separate intrusion reportedly associated with exploitation of Ivanti EPMM. Together, the incidents have intensified scrutiny of the Commission’s security posture across both cloud-hosted services and employee device management systems.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
ShinyHunters reportedly linked to Commission cloud data theft
Later reporting identified the alleged threat actor as ShinyHunters, which claimed to have stolen more than 350GB of data, including databases, and said it still had access to a Commission email server. This attribution and claimed impact expanded understanding of the March cloud breach.
AWS and Commission say core systems were not compromised
In public statements reported by March 27, 2026, AWS and the European Commission said AWS infrastructure itself and the Commission's internal systems were not compromised. The breach was described as limited to cloud infrastructure used for hosting Europa.eu websites.
Commission contains cloud incident and begins notifying affected entities
After discovering the March 24 breach, the European Commission said it took immediate containment measures and began notifying potentially affected Union entities. The Commission also continued investigating the scope and impact of the compromise.
European Commission discovers breach of Europa.eu cloud infrastructure
On March 24, 2026, the European Commission discovered a cyberattack affecting cloud infrastructure used to host websites on the Europa.eu platform. The incident impacted at least one AWS account in the Commission's cloud environment, and early findings indicated data theft.
European Commission investigates breach of staff mobile devices
By February 9, 2026, the European Commission was probing a breach involving staff mobile devices. This appears to be public reporting on the January 2026 mobile-device-related incident.
European Commission mobile device environment breached
In January 2026, the European Commission suffered a separate breach affecting its mobile device management environment. Reporting linked the incident to exploitation of Ivanti EPMM and to compromised staff mobile devices.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
European Commission Confirms Cloud Data Breach - Infosecurity Magazine
infosecurity-magazine.com
Open sourceHackers steal EU Commission cloud data | Cybernews
cybernews.com
Open sourceEuropean Commission probes breach of staff mobile devices
theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
European Commission Probes Breach of Amazon Cloud Environment
The European Commission is investigating a breach after a threat actor gained unauthorized access to its Amazon cloud infrastructure and at least one account used to manage that environment. According to reports, the intrusion was detected quickly by the Commission’s cybersecurity incident response team, but the actor claims to have exfiltrated more than **350 GB** of data, including multiple databases. Screenshots shared with reporters allegedly show access to European Commission employee information and an email server used by staff. The actor reportedly said they do not intend to extort the Commission and instead plan to leak the stolen data later. The incident adds to a recent string of security problems at European institutions: the Commission had already disclosed a separate breach tied to a compromised mobile device management platform, apparently linked to exploitation of **Ivanti Endpoint Manager Mobile** code-injection vulnerabilities that affected other organizations in the region as well.
Apr 24, 2026
ShinyHunters Claims Theft of Council of Europe HR and Payroll Data
ShinyHunters claimed it breached the Council of Europe and stole roughly **297 GB** of data, saying it exfiltrated more than **429,000 files** from multiple departments and threatening to publish the material unless the organization makes contact by **June 16**. The gang’s leak-site post described a haul spanning the Secretariat, human resources, payroll administration, parliamentary and conference-related units, and said the cache includes payslips, personnel files, CVs, payroll exports, contract records, and performance evaluations affecting more than **10,000 staff**. The allegedly stolen records contain highly sensitive personal data, including names, addresses, dates of birth, salaries, bank details, tax and social security information, and medical or absence records. The Council of Europe said it is investigating the claims and had not confirmed a breach at the time of reporting, while the incident was linked in coverage to ShinyHunters’ broader run of extortion and data-theft operations involving Salesforce-related intrusions, Snowflake customer breaches, and reported exploitation of an Oracle PeopleSoft zero-day.
Jun 21, 2026
European Institutions Breached via Ivanti Endpoint Manager Mobile Vulnerabilities
The **European Commission** disclosed it is investigating a breach after detecting traces of an attack against its central **mobile device management (MDM)** infrastructure used to administer staff mobile devices. The Commission said the incident was contained and the system cleaned within **nine hours**, and it has not found evidence that managed mobile devices themselves were compromised; however, attackers may have accessed limited staff personal data such as **names and mobile phone numbers**. The activity appears consistent with a broader set of intrusions affecting European public-sector bodies tied to vulnerabilities in **Ivanti Endpoint Manager Mobile (EPMM)**. Dutch authorities reported that the **Dutch Data Protection Authority** and the **Council for the Judiciary/Justice** experienced nearly identical breaches in which unauthorized parties exploited an Ivanti EPMM software flaw to access employee data, including **names, email addresses, and phone numbers**, suggesting a shared exploitation vector across multiple European institutions’ MDM deployments.
Mar 21, 2026