EU flags waving in front of European Commission building showing data breach

The European Commission Data Breach Compromises Infrastructure for Managing Mobile Devices

The European Commission has confirmed a data breach affecting a centralized backend infrastructure for managing officials’ and staff members’ mobile devices.

The Commission is the executive branch of the European Union and is responsible for representing the 27-member bloc, developing policy and strategy, proposing and enforcing laws, among other functions.

In January, it proposed draft legislation to strengthen the European Union’s cybersecurity against state-backed and other cyber threats.

European Commission confirms data breach on infrastructure for managing mobile devices

The Commission has confirmed that the data breach leaked staff members’ names, mobile phone numbers, and business email addresses, which could enable cybercriminals to carry out phishing attacks.

“On 30 January, the European Commission’s central infrastructure managing mobile devices identified traces of a cyber-attack, which may have resulted in access to staff names and mobile numbers of some of its staff members,” the Commission stated.

However, it secured the system within nine hours and found no evidence that the mobile devices were compromised.

Additionally, the Commission says it is monitoring the incident and will take the necessary steps to prevent a similar data breach by enhancing the resiliency of its systems.

“The Commission takes seriously the security and resilience of its internal systems and data and will continue to monitor the situation. It will take all necessary measures to ensure the security of its systems,” it added.

So far, the Commission has not attributed the data breach, disclosed the motive for the attack, or disclosed the number of affected mobile devices.

However, officials and staff members working with government and non-governmental organizations, think tanks, and diplomatic missions are frequently targeted by state-sponsored threat actors for cyber espionage.

The European Union, in particular, regularly experiences cyber attacks by state-sponsored threat actors aimed at undermining its democratic institutions, disrupting operations, or conducting cyber espionage.

“As Europe faces daily cyber and hybrid attacks on essential services and democratic institutions, the Commission is committed to further strengthen the EU’s cybersecurity resilience and capabilities,” it stated.

In 2021, the European Commission said it was investigating an “IT security incident” affecting various institutions, including itself.

In 2018, suspected Chinese state-sponsored hackers breached European diplomats’ cables on various sensitive topics, including cybersecurity and technology exports.

“The European Commission’s recent breach highlights the ongoing issue of governments experiencing avoidable security failures in systems as fundamental as mobile device management,” stated Steve Cobb, Chief Information Security Officer at SecurityScorecard. “Even though the Commission reported no compromise of mobile devices, the fact that attackers were able to access staff names and mobile numbers at all reveals a level of exposure that should never exist within a government environment.”

Ivanti Endpoint Manager Mobile linked to the European Commission data breach.

While the Commission has not disclosed the attack vector, the data breach likely resulted from software vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software. EPMM is popular with governments and both public and private organizations for managing mobile devices.

The infrastructure grants security teams various administrative rights, including modifying security policies, installing software, and locking, unlocking, and wiping mobile devices. If exploited, an attacker could abuse these privileges to exfiltrate sensitive information or pivot to other systems.

“What these Ivanti EPMM vulnerabilities reveal is not a mobile security problem,” warned Shane Barney, Chief Information Security Officer at Keeper Security. “They reveal a privileged access problem that happens to sit in mobile infrastructure. Device management platforms are trusted to make access decisions continuously and at scale. They authenticate devices, enforce policy and implicitly vouch for the legitimacy of downstream access.

“When an attacker gains control at that layer, they are not bypassing security controls. They are inheriting them. That is why incidents involving management platforms carry disproportionate risk, even when the immediate impact appears limited,” added Barney.

Ivanti had previously warned about the exploitation of zero-day vulnerabilities CVE-2026-1281 and CVE-2026-1340 in EPMM software.

“We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” Ivanti warned.

Nevertheless, the vulnerability did not affect other software solutions for managing mobile devices, including Ivanti Neurons for MDM. Ivanti had also released security fixes for the two code injection vulnerabilities that could enable remote code execution.

“What makes this incident especially concerning is its alignment with similar attacks targeting European institutions through known vulnerabilities in Ivanti’s Endpoint Manager Mobile software,” added Barney. “Governments should be setting the standard for proactive patching rather than becoming examples of what happens when patching falls short.”

Meanwhile, the internet monitoring group Shadowserver Foundation reports that more than 50 EPMM servers were compromised by exploiting CVE-2026-1281, with attackers dropping web shells and other artifacts.