European Commission Cloud Breach: A Supply Chain Compromise

Rusty Snippets

Administrator
Staff member
Joined
Aug 7, 2025
Messages
89
Location
Oklahoma
United-States
In the interest of transparency, and in full agreement with the European Commission, CERT-EU is publishing this blog post to inform the wider community about a cybersecurity incident affecting the European Commission’s public website platform “europa.eu” hosted on Amazon Web Services (AWS) cloud infrastructure.

CERT-EU was notified of this incident on 25 March 2026 by the European Commission, in accordance with Article 21 of Regulation (EU, Euratom) 2023/2841 (the “Cybersecurity Regulation”), which requires the Union institutions, bodies, offices and agencies (Union entities) to report significant incidents to CERT-EU without undue delay. CERT-EU has been providing support in accordance with Article 22 of the same Regulation.

On March 27, the European Commission publicly disclosed the incident through a press release.

Key points​

  • On March 24, the European Commission’s Cybersecurity Operations Centre received alerts about potential misuse of Amazon APIs, potential account compromise, and an abnormal increase in network traffic. On March 25, CERT-EU was informed.

  • We assess with high confidence that initial access was obtained through the Trivy supply-chain compromise, which was publicly attributed to a threat actor known as TeamPCP.

  • A significant volume of data (about 91.7 GB compressed) was exfiltrated from the compromised AWS account, including personal data such as names, email addresses, and email content.

  • On March 28, the data extortion group ShinyHunters made the stolen data publicly available on their dark web leak site.

  • The compromised account is part of the technical infrastructure that drives multiple websites of the European Commission. Data pertaining to at least 29 other Union entities may be affected.

  • We assess that the rise in supply-chain compromises poses a significant threat. We strongly encourage all organisations to implement the recommendations in this post.

What happened​

On March 25, CERT-EU received a notification from the European Commission that one of their AWS cloud accounts had been compromised. The first alerts, indicating potential misuse of Amazon APIs, potential account compromise, and an unusual volume of network traffic, had been detected by their Cybersecurity Operations Centre (CSOC) team the previous day....................


 
Back
Top