The European Commission confirmed on Thursday that a cyberattack struck part of its cloud infrastructure hosted on Amazon Web Services, resulting in the theft of more than 350 gigabytes of data. The attack, which occurred on March 24, was detected and blocked by security teams, but not before the threat actor managed to exfiltrate a substantial volume of sensitive information including multiple databases and internal files.
According to sources familiar with the investigation, the threat actor contacted BleepingComputer directly with evidence of the breach, providing screenshots that showed access to European Commission employee information and an internal email server. The compromised infrastructure hosted the Commission's web presence on the Europa.eu platform, raising concerns about the scope of data that may have been accessed during the intrusion.
Security analysts have confirmed that Amazon Web Services itself was not compromised in this incident. Instead, the attacker targeted the management layer — specifically compromising at least one account used to administer the Commission's cloud environment. This distinction is critical, as it points to a failure in access controls and credential management rather than a vulnerability in the underlying cloud platform.
The European Commission stated that it took immediate steps to contain the attack once it was detected, and that the breach has been fully isolated. An internal investigation is currently underway to determine the full extent of the data exfiltration and identify any additional systems that may have been affected. The Commission has not yet disclosed whether the stolen data includes classified or restricted information.
In a particularly concerning development, the threat actor has indicated that they do not plan to demand a ransom for the stolen data. Instead, the hacker intends to leak the information publicly at a later date, suggesting that the motivation behind the attack may be geopolitical or reputational rather than financial. This approach represents a growing trend among sophisticated threat actors who seek to maximize damage through public exposure rather than private extortion.
This incident marks the second major cybersecurity breach affecting the European Commission in 2026. On January 30, unauthorized access to the central mobile device management infrastructure was detected on February 6, potentially exposing staff names and phone numbers. That earlier breach, which was contained within nine hours, may have exploited vulnerabilities tracked as CVE-2026-1281 and CVE-2026-1340.
The repeated targeting of European Union institutions underscores the escalating cyber threat landscape facing government organizations worldwide. Cybersecurity experts have emphasized that cloud environments require robust identity and access management protocols, multi-factor authentication, and continuous monitoring to prevent similar incidents in the future. The European Commission has pledged to strengthen its security posture as the investigation continues.
Comments