European Commission Cloud Breach Exposes Data from 30 EU Entities, Linked to TeamPCP
On March 27, 2026, CERT-EU disclosed a cybersecurity breach affecting the European Commission’s Amazon Web Services (AWS) cloud environment, exposing data from at least 30 EU entities. The attack, attributed to the TeamPCP threat group, was first detected by the Commission on March 24, though initial access occurred as early as March 10 via a compromised AWS API key.
The breach stemmed from a supply-chain attack on Trivy, a vulnerability scanning tool, which was exploited to steal an AWS secret key on March 19. TeamPCP used this access to deploy TruffleHog, a credential-scanning tool, and created additional access keys to evade detection while conducting reconnaissance and data exfiltration. The group, known for targeting platforms like GitHub, PyPI, and Docker, has been linked to similar supply-chain compromises, including a malicious LiteLLM package used to distribute malware.
By March 25, the Commission’s Cybersecurity Operations Centre (CSOC) identified unusual AWS API activity, prompting an investigation. While the breach did not disrupt website availability or affect internal Commission systems, 350GB of data including emails, databases, contracts, and personal information was stolen. On March 28, the ShinyHunters group leaked the stolen data, which included names, usernames, email addresses, and over 51,000 outbound emails, some containing user-submitted content.
CERT-EU confirmed that 71 clients of the Europa web hosting service were impacted, including 42 European Commission entities and 29 other EU bodies. The Commission has notified affected parties and is conducting a full impact assessment, though no evidence suggests website tampering or device compromise.
This incident follows a separate January 30 attack on the Commission’s mobile device management system, where attackers accessed limited staff data but failed to compromise devices. The EU continues to strengthen cybersecurity measures amid rising threats to critical institutions.
Aqua Security cybersecurity rating report: https://www.rankiteo.com/company/aquasecteam
European Commission cybersecurity rating report: https://www.rankiteo.com/company/european-commission
"id": "AQUEUR1775299151",
"linkid": "aquasecteam, european-commission",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '71 clients of Europa web '
'hosting service (42 European '
'Commission entities, 29 other '
'EU bodies)',
'industry': 'Public Sector',
'location': 'European Union',
'name': 'European Commission',
'type': 'Government'}],
'attack_vector': 'Supply-chain attack (Trivy vulnerability scanning tool)',
'customer_advisories': 'Affected parties notified',
'data_breach': {'data_exfiltration': '350GB of data stolen',
'number_of_records_exposed': 'Over 51,000 outbound emails',
'personally_identifiable_information': ['Names',
'Usernames',
'Email addresses'],
'sensitivity_of_data': 'High (names, usernames, email '
'addresses, user-submitted content)',
'type_of_data_compromised': ['Emails',
'Databases',
'Contracts',
'Personal information']},
'date_detected': '2026-03-24',
'date_publicly_disclosed': '2026-03-27',
'description': 'On March 27, 2026, CERT-EU disclosed a cybersecurity breach '
'affecting the European Commission’s Amazon Web Services (AWS) '
'cloud environment, exposing data from at least 30 EU '
'entities. The attack, attributed to the TeamPCP threat group, '
'was first detected by the Commission on March 24, though '
'initial access occurred as early as March 10 via a '
'compromised AWS API key. The breach stemmed from a '
'supply-chain attack on Trivy, a vulnerability scanning tool, '
'which was exploited to steal an AWS secret key on March 19. '
'TeamPCP used this access to deploy TruffleHog, a '
'credential-scanning tool, and created additional access keys '
'to evade detection while conducting reconnaissance and data '
'exfiltration. By March 25, the Commission’s Cybersecurity '
'Operations Centre (CSOC) identified unusual AWS API activity, '
'prompting an investigation. While the breach did not disrupt '
'website availability or affect internal Commission systems, '
'350GB of data including emails, databases, contracts, and '
'personal information was stolen. On March 28, the '
'ShinyHunters group leaked the stolen data, which included '
'names, usernames, email addresses, and over 51,000 outbound '
'emails, some containing user-submitted content.',
'impact': {'data_compromised': '350GB of data (emails, databases, contracts, '
'personal information)',
'identity_theft_risk': 'Names, usernames, email addresses, and '
'personal information exposed',
'operational_impact': 'No disruption to website availability or '
'internal Commission systems',
'systems_affected': 'AWS cloud environment (Europa web hosting '
'service)'},
'initial_access_broker': {'backdoors_established': 'Additional AWS access '
'keys created',
'data_sold_on_dark_web': 'Leaked by ShinyHunters on '
'March 28, 2026',
'entry_point': 'Compromised AWS API key via '
'supply-chain attack on Trivy',
'reconnaissance_period': 'March 10 to March 24, '
'2026'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'root_causes': 'Supply-chain attack on Trivy '
'leading to AWS API key compromise'},
'ransomware': {'data_exfiltration': 'Yes'},
'references': [{'source': 'CERT-EU'}],
'response': {'communication_strategy': 'Notified affected parties; full '
'impact assessment ongoing',
'containment_measures': 'Investigation by Cybersecurity '
'Operations Centre (CSOC)'},
'threat_actor': 'TeamPCP',
'title': 'European Commission Cloud Breach Exposes Data from 30 EU Entities, '
'Linked to TeamPCP',
'type': 'Data Breach',
'vulnerability_exploited': 'Compromised AWS API key via supply-chain attack '
'on Trivy'}