The European Commission has confirmed a major data breach attributed to a coalition of cybercriminal groups TeamPCP and ShinyHunters, resulting in the theft of approximately 92 gigabytes of compressed data. The intrusion, which occurred on March 19, traces back to a supply chain compromise of the open-source security scanner Trivy and may affect as many as 29 additional EU entities alongside dozens of internal clients.

What Happened

The breach began with a supply chain attack against Trivy, a widely used open-source container and vulnerability scanning tool. The European Commission inadvertently downloaded a compromised version of Trivy, which served as the initial foothold for the attackers. From that foothold, the threat actors extracted a secret API key tied to the Commission's cloud infrastructure, pivoted through the environment, and exfiltrated large volumes of data before detection.

The operation was not the work of a single group. TeamPCP executed the intrusion and staging phases, while ShinyHunters, a group known for high-profile data theft and extortion campaigns, collaborated on the exfiltration and monetization stages. The partnership reflects an increasingly common operating model in which specialist crews split responsibilities across initial access, lateral movement, and extortion.

What Was Taken

Investigators have tallied roughly 92 GB of compressed data stolen from the Commission's cloud environment. The archive contains personal information including names, email addresses, and the full content of email messages. A large portion of the captured messages are automated notifications with minimal sensitive content, but the dataset also contains bounced emails that carry original user-submitted content, including text fields submitted by members of the public interacting with EU services.

The blast radius extends beyond the Commission itself. Reporting indicates that up to 29 additional EU entities and dozens of internal clients that share the same cloud tenancy or API surface may be implicated, expanding the universe of affected data subjects considerably.

Why It Matters

This incident is a textbook illustration of how a single compromised dependency can cascade into a sovereign-scale data exposure. The European Commission is one of the most security-conscious institutional targets on the continent, and the attackers bypassed its perimeter entirely by poisoning a trusted security tool that defenders use to evaluate their own posture, a particularly corrosive form of supply chain compromise.

The coalition model is equally significant. When initial access brokers, intrusion operators, and extortion crews coordinate across a single campaign, dwell time shrinks, monetization accelerates, and attribution becomes murkier. Defenders should expect this division of labor to keep maturing across the ransomware and data-extortion ecosystem in 2026.

The Attack Technique

The kill chain reconstructed so far is:

1. Supply chain compromise of the Trivy distribution, yielding a trojanized build.
2. Execution of the compromised scanner inside the Commission's environment, establishing a foothold.
3. Harvesting of a high-privilege API key from the local environment.
4. Authenticated abuse of the stolen API key against the Commission's cloud tenancy to enumerate resources and access mailboxes and storage.
5. Staged exfiltration of roughly 92 GB of compressed mailbox and personal data.
6. Handoff to ShinyHunters for victim pressure and potential public leak or sale.

The reliance on a stolen API key, rather than user credentials, allowed the attackers to blend into legitimate automated traffic and evade multi-factor authentication controls that protect interactive logins.

What Organizations Should Do

1. Inventory every instance of Trivy in your build pipelines and production systems, verify checksums against the vendor's signed releases, and replace any unverified binaries.
2. Rotate all API keys, service principal secrets, and long-lived cloud credentials that may have been accessible to CI/CD agents or scanning hosts in the past 60 days.
3. Treat security tools as Tier 0 assets. Isolate scanner execution in dedicated, egress-restricted environments so that a compromised scanner cannot reach production secrets or cloud control planes.
4. Instrument cloud API usage with anomaly detection focused on volumetric reads, new geographies, and unusual user agents tied to service identities, not just human users.
5. Enforce short-lived, scoped credentials using workload identity federation or OIDC-based token exchange in place of static API keys wherever feasible.
6. Exercise an extortion scenario tabletop that assumes data is already exfiltrated, with clear decision rights for regulatory notification under GDPR and communications to affected data subjects.

Sources: European Commission Hacked: Cybercriminals Team Up for Massive Data Breach (2026)