Major data breach: EU cyber agency pins leak on hacking gangs

Reading duration : 3 minutes
Flags of Europe as seen waving from the flagpoles in front of the EU Commission headquarters.
© ECIKS.org - Major data breach: EU cyber agency pins leak on hacking gangs
Show summary Hide summary

EU cybersecurity authorities say a recent intrusion into the European Commission’s cloud environment has exposed a large volume of internal files and may affect dozens of institutions across the bloc. The disclosure shifts attention to cloud supply-chain risks and raises immediate data-protection and operational questions for EU bodies.

CERT-EU, the EU’s computer emergency response team, attributes the breach primarily to a group identified as TeamPCP, and says some of the pilfered material later appeared online via the hacking collective ShinyHunters. Officials report the incident began in mid‑March and involved access to an Amazon Web Services account used by the Commission.

What the agency found

OpenAI CEO makes amends with Tumbler Ridge community after backlash
Walmart sales trend echoes past recessions: rising risk for consumers

CERT-EU says roughly 92 gigabytes of compressed data were taken from the Commission’s AWS environment that hosts the Europa.eu platform — the public-facing infrastructure member states use for websites and institutional publications. Investigators have identified thousands of files that include names, email addresses and email content.

While most of the captured messages are automated system notices with little substantive content, CERT-EU warns that some bounced or error replies could contain original user submissions and therefore pose a real risk of personal-data exposure.

  • Date of intrusion: March 19 (first access traced by investigators)

  • Claimed perpetrators: TeamPCP (primary attribution); data later posted by ShinyHunters

  • Volume of data: ~92 GB compressed

  • Potentially affected parties: the Commission plus at least 29 other EU entities

  • Notable content: ~52,000 sent-email files, personal identifiers, and internal communications

How the attackers gained entry

CERT-EU’s report links the compromise to an API key tied to the Commission’s AWS account. That key was apparently harvested after attackers exploited vulnerabilities in the open-source security scanner Trivy. The Commission had, according to investigators, downloaded a compromised version of the tool following Trivy’s own security incident, enabling attackers to pivot from the developer tool to cloud credentials.

The trajectory — from an infected open-source component to credentials leakage and then to cloud data exfiltration — is consistent with the supply-chain attack patterns cybersecurity firms have warned about over the past year.

Multiple actors, overlapping roles

Attribution in this case is notable because two separate groups are tied to the same incident. CERT-EU points to TeamPCP as the source of the AWS access, while material matching that theft later appeared in a ShinyHunters leak.

In an online exchange with TechCrunch, a member of ShinyHunters said some of the published files had previously been taken by ShinyHunters from TeamPCP during other operations and were now being released. TeamPCP did not respond to requests for comment.

Wider context and risk

Security vendors tracing both groups say TeamPCP has a track record that includes ransomware, crypto‑mining and repeated supply‑chain intrusions. Palo Alto Networks’ Unit 42 has warned that attackers who secure developer keys can move into cloud environments and then attempt extortion.

For EU institutions the immediate risks are practical and regulatory: exposed personal data may trigger GDPR notifications, internal operations could be disrupted, and individuals whose emails appear in the leak could face targeted phishing or identity misuse.

CERT-EU says it has contacted organizations it believes are affected and continues to analyze the material posted online.

What this means for citizens and officials

At a minimum, people listed in the exposed files should be alert to suspicious messages that attempt credential theft or impersonation. Institutions using shared cloud services or third‑party developer tools should review key management and the provenance of open‑source components in their supply chains.

Short-term steps authorities typically take include rotating compromised credentials, auditing access logs, and notifying individuals whose personal data may have been exposed.

Longer-term, the incident underscores the need for stricter controls around developer tooling and for cloud operators to implement stronger isolation between services and credentials.

Key takeaways

  • Supply-chain attacks on developer tools can lead quickly to high-impact cloud breaches.

  • Even automated or bounce-message emails can contain sensitive submissions and should not be dismissed.

  • Cross-group activity—where different criminal collectives handle access, resale or publication—complicates containment and attribution.

The European Commission has said it will respond to media inquiries after the body reopens; meanwhile CERT-EU’s ongoing investigation aims to clarify the full scope and to support affected EU entities in containment and remediation.

FDA recalls 3.1 million store-brand eye drops: sterility may be compromised
Bernie Sanders-backed strategy linked to surge in Democratic midterm primary wins

Give your feedback

Be the first to rate this post
or leave a detailed review

ECIKS.org is an independent media. Support us by adding us to your Google News favorites:

Follow us on Google News

Post a comment

You are here : Home » Publications » Tech » Major data breach: EU cyber agency pins leak on hacking gangs
Publish a comment