EU flags in front of the European Commission showing security breach of cloud infrastructure

European Commission Cloud Infrastructure Security Breach Leaks Hundreds of Gigabytes of Data

A security breach at the European Commission has enabled a threat actor to steal hundreds of gigabytes of data from its Amazon cloud infrastructure used to manage the Europa.eu web platform.

The Commission is the executive arm of the European Union. Its functions include developing policy and strategy, proposing and enforcing legislation, and representing the 27-member bloc on the international stage. It also manages Europa.eu, which houses various European Union institutions’ websites, including the European Commission, the European Parliament, and the European Council.

“On 24 March, the European Commission discovered a cyber-attack, which affected its cloud infrastructure hosting the Commission’s web presence on the Europa.eu platform,” the Commission stated.

European Commission confirms security breach on its cloud infrastructure

The executive body said it took “immediate steps” to fix the security breach and that the incident has been fully contained. Additionally, it implemented risk mitigation measures to limit the disruption of its cloud infrastructure.

“Immediate steps were taken to contain the attack. The Commission’s swift response ensured the incident was contained and risk mitigation measures were implemented to protect services and data, without disrupting the availability of the Europa websites.”

Meanwhile, efforts to notify impacted institutions are underway. The Commission also took steps to enhance its cloud infrastructure security to prevent a similar security breach in the future. The EU body also says it is closely monitoring the situation and will report any future developments.

Currently, the Commission believes the incident was limited to its cloud infrastructure, and its internal systems were unaffected. An investigation is also underway to determine the scope of the incident.

“The investigation is ongoing but we can already confirm that the Commission’s internal systems were not affected by the cyber-attack,” it added.

However, the executive body suspects that the attacker may have exfiltrated data from the cloud infrastructure.

“If this compromise is as deep as the reported 350 GB haul suggests, the blast radius goes way beyond a single cloud admin account,” said Nick Tausek, Lead Security Automation Architect at Swimlane. “Access to multiple databases in addition to Commission employee data and an internal email server opens the door to identity risk, operational disruption, and second-stage attacks like spearphishing.”

Sources say they stole hundreds of gigabytes, including databases, which could contain vast amounts of data, potentially including personal information. Nevertheless, the commission has not confirmed receiving any ransom demands. Sources say the attacker does not intend to extort the Commission.

Although the Commission’s AWS cloud infrastructure was compromised, the security breach does not appear to have originated from an Amazon security vulnerability. Typically, misconfigurations account for most cloud incidents, which was likely the case in the European Commission’s security breach.

Security breaches plague the European Commission

At the time of publication, the executive body had not attributed the cyber attack to any threat group. Nonetheless, state-sponsored hackers, political hacktivists, and financially motivated attackers frequently target the European Union.

“The breach also fits an uncomfortable pattern,” added Tausek. “The Commission disclosed a separate breach in February tied to its mobile device management environment, reportedly linked to Ivanti EPMM exploitation seen across other European institutions, indicating a potential trend line.”

In January 2026, the European Commission leaked staff data following a security breach affecting the centralized backend infrastructure for managing mobile devices, Ivanti Endpoint Manager Mobile (EPMM).

In 2021, another “IT security incident” affected various European Union institutions, triggering an investigation. Suspected Chinese state-sponsored hackers also breached the European Union diplomats’ cables on various sensitive topics, including cybersecurity and technology exports, in 2018.

However, the Commission reiterates its commitment to strengthening and securing its IT infrastructure in the face of persistent cyber threats facing Western democratic institutions.

“As Europe confronts persistent cyber and hybrid attacks targeting essential services and democratic institutions, the Commission is actively working on enhancing the EU’s cybersecurity resilience,” it says.

In January 2026, the Commission proposed draft legislation to enhance its cyber resilience, which includes removing high-risk suppliers to secure its digital infrastructure from potential foreign cyber espionage. Chinese telecom vendors, such as Huawei and ZTE, will likely be the most affected.

The proposed revised Cybersecurity Act would affect 18 critical sectors. It aims to reduce “risks in the EU’s ICT supply chain from third-country suppliers with cybersecurity concerns.”

“Against that backdrop, the recent proposal to tighten EU cyber legislation and reduce dependence on high-risk suppliers is easy to connect in headlines,” Tausek continued. “The more likely story is that the Commission is a high-value target under constant pressure, and attackers do not need a policy trigger to go hunting.”

“That said, policy moves can raise the temperature, invite probing, and accelerate adversary interest in supply chain weak spots, especially where cloud, third-party tooling, and identity controls intersect. The lesson for every public sector team watching this is practical. Treat cloud access like critical infrastructure, and stop relying on manual swivel chair response when the stakes are this high. Pull telemetry from your cloud and identity stack into a single workflow, auto triage and enrich suspicious activity, and kick off containment actions like credential resets, token revocation, and access policy hardening in minutes, not days,” concluded Tausek.