The European Commission — the EU's primary executive body — is investigating a security breach after a threat actor claimed to have gained unauthorized access to the institution's Amazon Web Services (AWS) cloud environment, stealing over 350 GB of data that includes databases, employee information, and email server data.
What Was Stolen
The attacker contacted BleepingComputer to announce the breach and provided screenshots as proof of access to sensitive Commission systems. The claimed stolen data includes:
- Multiple databases belonging to Commission systems
- Employee information for Commission staff
- Email server data used by Commission personnel
The threat actor declined to disclose the specific method used to gain access but stated they do not intend to extort the Commission. Instead, they plan to publicly leak the data at a later date.
Amazon's Response
Amazon disputed any compromise of its own infrastructure. "AWS did not experience a security event, and our services operated as designed," the company told reporters. This places the breach firmly on the European Commission side — meaning an attacker gained access to the Commission's AWS account credentials or session tokens rather than exploiting a flaw in AWS infrastructure itself.
This is a key distinction: the breach was of the Commission's cloud tenant, not the underlying cloud provider. AWS services functioned as intended; the attacker's access came from compromising the Commission's own credentials or access controls within AWS.
Part of a Broader Pattern
This incident follows a series of breaches affecting European government institutions in early 2026:
- January 30, 2026: The Commission discovered a separate breach of its mobile device management (MDM) platform, which was publicly disclosed in February 2026.
- Dutch and Finnish government agencies were previously linked to breaches involving Ivanti Endpoint Manager Mobile software vulnerabilities.
The European Commission now faces scrutiny over its cloud security posture following two disclosed security incidents within two months.
Investigation Underway
The Commission confirmed it is actively investigating the AWS breach. No further technical details about the initial access method have been disclosed publicly. It is not yet known whether the breach involved:
- Stolen or phished credentials for the AWS account
- Misconfigured IAM roles or permissions allowing excessive access
- Compromised access keys from a leaked developer environment or CI/CD pipeline
- Session token hijacking via a prior compromise of a Commission endpoint
Implications for Cloud Security
The incident reinforces a persistent challenge for large government organizations adopting cloud infrastructure: securing the cloud account itself is as critical as securing the cloud resources within it. AWS provides extensive tooling — including GuardDuty, CloudTrail, IAM Access Analyzer, and SCPs — to detect and prevent unauthorized access, but these controls must be actively configured and monitored.
Key cloud security hygiene practices directly relevant to this type of breach include:
- Enforce MFA on all IAM users and root accounts, with phishing-resistant hardware tokens for privileged users
- Rotate and audit access keys regularly; revoke any unused or long-standing keys
- Enable CloudTrail logging across all regions with tamper-proof log storage in a separate security account
- Use AWS GuardDuty to detect anomalous API calls, geographic access anomalies, and credential abuse in real time
- Apply least-privilege IAM policies — review and tighten permissions across all roles, especially those with data read or export capabilities
- Implement Service Control Policies (SCPs) in AWS Organizations to enforce guardrails across all accounts
- Monitor for unusual data egress patterns — 350 GB of data exfiltration should trigger egress anomaly alerts if monitoring is properly configured
What Happens Next
The Commission's investigation will aim to determine the initial access vector, the full scope of data accessed, and whether the breach extends beyond what the attacker has claimed. Given the actor's stated intent to leak data, affected individuals — including Commission employees whose personal data may have been exposed — should be notified in accordance with GDPR requirements.
The breach also puts pressure on EU institutions to harden their cloud security practices, particularly given the geopolitical context and the continued targeting of European government infrastructure by threat actors.