The European Commission confirmed this week that it "discovered a cyber-attack, which affected part of our cloud infrastructure." The breach occurred on March 24 and struck the Commission's Amazon Web Services account before being detected and blocked.
Over 350 gigabytes of data is reported to have been stolen, including multiple databases. The threat actor provided screenshots as proof of access to information belonging to European Commission employees and to an email server used by Commission employees. The attacker is threatening to publish the data online but is not demanding a ransom.
The breach "affected its cloud infrastructure hosting the Commission's web presence on the Europa.eu platform," which hosts much of the Commission's website data. The attack impacted Europa.eu, which hosts not only European Commission websites but also those of the European Parliament, the Council of the European Union, and other EU bodies, significantly heightening the sensitivity of the incident.
The Commission stated that "the Commission's internal systems were not affected by the cyber-attack." Yet the scale of the exposure is significant. Initial assessments suggest that the breach appears to have originated from the identity and access management layer of the Commission's cloud infrastructure, the layer that controls who can log in, what they can access, and which administrative actions they can perform.
This is not the first time the Commission has faced a cyberattack this year. In February, the Commission announced a previous data breach after discovering on January 30 that the Mobile Device Management platform for staff devices had been hacked, an incident that was addressed within nine hours. That first incident appears to be linked to a broader wave of attacks exploiting code injection vulnerabilities in Ivanti Endpoint Manager Mobile.
The timing cuts deep. European institutions are scaling cloud adoption while simultaneously pushing digital sovereignty initiatives, and the Commission has been migrating systems to cloud infrastructure as part of its digital transformation agenda. It is quite ironic that the breach comes soon after the Commission proposed new cybersecurity legislation to strengthen defences against state-backed and cybercrime groups targeting critical infrastructure.
The European Commission sits at the apex of EU governance, coordinating policy for 27 member states and 450 million citizens; when hackers successfully penetrate infrastructure at this level, the ripple effects reshape procurement standards across the entire European public sector. Cloud storage security remains the weakest link in many enterprise deployments, and organisations rushing to adopt cloud infrastructure often misconfigure access controls, leave storage buckets exposed, or fail to implement proper encryption key management.
For Australian observers, the breach offers a cautionary lesson. As governments worldwide accelerate their shift to cloud-based systems and promote vendor diversity away from American tech giants, the Commission's experience demonstrates that the problem is rarely the cloud platform itself. The issue is believed to be linked to compromised credentials or weak access controls, not a failure in AWS itself. Security maturity matters far more than where data lives.
The Commission has already begun coordinating with potentially affected institutions and services, with a comprehensive technical analysis to follow, aimed at strengthening cybersecurity defences and preventing similar incidents in the future.