The European Commission — the executive body of the European Union, responsible for proposing legislation, enforcing EU law, and managing the bloc's day-to-day operations — is investigating a confirmed data breach after an attacker gained unauthorized access to at least one of its Amazon Web Services accounts. The threat actor claims to have stolen over 350GB of data including multiple databases and evidence of access to an email server used by Commission employees. The attacker has stated they will not extort the Commission but intend to leak the stolen data publicly. AWS confirmed its own infrastructure was not compromised. This is the Commission's second confirmed breach in two months.
What Happened
BleepingComputer first reported the breach on March 27, 2026, after being contacted by the threat actor claiming responsibility. The Commission had not publicly disclosed the incident at time of reporting, though sources confirmed the Commission's cybersecurity incident response team was actively investigating.
The attacker compromised at least one AWS account belonging to the European Commission — specifically accounts associated with infrastructure hosting Commission websites and email systems. AWS stated its services "operated as designed," confirming the breach involved compromised credentials or access controls on the Commission's side, not a vulnerability in AWS infrastructure itself.
The attacker provided BleepingComputer with screenshots as proof of access, including evidence of access to information belonging to Commission employees and to an email server used by Commission staff. The Commission has characterized its internal IT systems as unaffected, though the full scope of the breach remains under investigation.
Notably, the attacker told BleepingComputer they do not intend to use the stolen data for extortion — instead stating they plan to release the data publicly at a later date. This is a politically motivated leak operation, not a ransomware or financial extortion play.
This breach follows a February 2026 disclosure of a separate incident in which the Commission's mobile device management platform was compromised — an attack linked to Ivanti EPMM vulnerabilities also exploited against the Dutch Data Protection Authority and Finland's government agency Valtori. The Commission is experiencing a sustained pattern of targeting.
What Was Taken
The attacker claims to have exfiltrated:
- 350+ GB of data across multiple databases — a substantial volume suggesting broad, systematic exfiltration rather than targeted cherry-picking
- Employee information — screenshots confirmed access to data belonging to European Commission employees
- Email server data — access to an email server used by Commission staff, which may include message content, contacts, calendar data, and metadata
- Database contents — multiple databases, likely including operational, personnel, or web infrastructure data depending on which AWS accounts were affected
The Commission's characterization that "internal IT systems weren't affected" requires careful parsing. Website-hosting infrastructure and email servers are not peripheral to operations — they contain communications metadata, employee directories, and potentially sensitive correspondence. The full dataset scope will not be known until the leak occurs or the investigation concludes.
Why It Matters
The European Commission is not just a bureaucratic target — it is the institution that drafts EU legislation on data protection (GDPR), cybersecurity (NIS2), AI regulation, and sanctions policy. A threat actor with access to Commission employee communications and databases has potential visibility into policy deliberations, negotiating positions, regulatory enforcement strategy, and diplomatic correspondence.
The attacker's decision to announce a future public leak rather than demand a ransom is the most strategically significant element of this incident. It signals one of two things: a hacktivist or state-adjacent actor whose goal is reputational damage and intelligence disclosure rather than financial gain, or an actor who has already achieved their primary intelligence-collection objective and is now executing a secondary influence operation.
The timing is also notable. The Commission proposed new cybersecurity legislation on January 20, 2026, specifically to strengthen defenses against state-backed actors. A public breach of the Commission's own infrastructure, with a promised data dump, is a direct counter-narrative to that legislative agenda — demonstrating that the EU's executive body cannot secure its own cloud environment while proposing to regulate everyone else's.
This breach also continues a pattern: the Commission's MDM platform was compromised in January via Ivanti EPMM vulnerabilities. Two confirmed breaches in two months of the EU's primary executive body suggests either persistent attacker access, multiple independent threat actors, or systemic security deficiencies in the Commission's cloud and device management posture.
The Attack Technique
The attacker did not disclose the specific initial access method. AWS confirmed no vulnerability on its side, which narrows the likely vectors to:
- Compromised AWS IAM credentials — stolen, phished, or purchased access keys for Commission AWS accounts; credential compromise is the dominant cause of cloud account breaches and requires no exploitation of AWS infrastructure
- Overprivileged IAM roles or access policies — misconfigured AWS roles that granted broader access than intended, enabling lateral movement from an initial foothold to sensitive databases and email infrastructure
- Third-party supply chain access — web hosting, CDN, or managed service providers with delegated AWS access to Commission accounts; a compromised vendor with administrative access to Commission infrastructure would appear as legitimate activity to AWS
- Credential reuse or stuffing from prior breach — Commission employee credentials exposed in earlier incidents (including the January MDM breach) reused against AWS console or API access
The connection to the January Ivanti EPMM attacks is worth noting. If Commission device credentials were harvested through the MDM compromise, those same credentials may have provided cloud access — making this a second-stage attack enabled by the earlier breach.
What Organizations Should Do
- Audit all AWS IAM users, roles, and access keys immediately — identify every entity with programmatic or console access to your AWS environment; revoke any key that hasn't been used in 30 days; enforce MFA on all IAM users without exception; rotate all access keys on a documented schedule
- Enable AWS CloudTrail and GuardDuty across all accounts and regions — comprehensive logging of all API calls, combined with GuardDuty's anomaly detection, is the minimum baseline for detecting cloud account compromise; if you don't have centralized logging of your cloud environment, you are flying blind
- Implement least-privilege IAM policies and review overpermissioned roles — a compromised credential's blast radius is determined entirely by what that credential is permitted to do; audit all IAM policies for excessive permissions, particularly any role with
*actions or*resources - Treat cloud-hosted infrastructure as part of your core attack surface — the Commission's framing of "internal IT systems unaffected" understates the sensitivity of website hosting and email server infrastructure; any cloud account containing employee data, communications, or operational databases is a primary target and should be protected accordingly
- Apply the lessons of your MDM breach to your cloud posture — if you experienced a device management compromise, assume credentials harvested from that incident are being tested against every other system; force password resets and session invalidation across all systems, not just the directly affected one
- Establish a cloud breach notification and response playbook — the Commission did not publicly disclose this breach until a journalist's inquiry; organizations should have pre-defined notification thresholds, legal obligations review, and communication protocols that activate automatically on confirmed cloud account compromise — not reactively after external reporting