Cyber Incident Victim: European Commission
Date:
Mar 2026
Location:
Belgium
Summary
The European Commission disclosed thatattackers compromised one or more Amazon Web Services accounts linked to its Europa.eu platform, resulting in the alleged theft of over 350 gigabytes of data that the threat actor said would be leaked rather than used for extortion. The organization said its websites remained online, internal systems were unaffected, and that a swift response contained the incident while risk‑mitigation measures were applied. Amazon Web Services stated that no security event occurred on its side and that its services functioned as intended. The body also noted a prior alert concerning possible exposure of staff names and mobile numbers from its mobile‑device management infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On Thursday, March 26, 2026, the European Commission announced that it had detected an attack on its Europa.eu platform, providing few details about the nature of the breach. On Friday, March 27, 2026, the security news site Bleeping Computer reported that the attack involved the compromise of one or more accounts on Amazon Web Services (AWS). The report cited an unnamed threat actor who claimed responsibility for the intrusion and said they had exfiltrated more than 350 gigabytes of Commission data. The actor provided screenshots to the reporter as evidence of the stolen data and stated that they intended to leak the information rather than attempt extortion. The Commission said it was continuing to investigate the theft of data from its cloud infrastructure that had occurred earlier in the week.
Amazon Web Services responded that its services had not experienced a security event and that they operated as designed during the incident. The Commission stated that the Europa websites remained available to users throughout the incident. It added that its swift response had contained the incident and that risk mitigation measures had been implemented to protect services and data. The Commission also noted that its internal systems were not affected by the attack. The threat actor’s claim of having stolen over 350 GB of data remains unverified by independent sources, but the actor asserted possession of the material and intention to publish it.
This incident follows a separate disclosure by the Commission on January 30, 2026, that traces of a cyber attack had been found on its central infrastructure for managing mobile devices. The January disclosure indicated that the breach could have exposed the names and mobile numbers of some Commission staff. No further details about the January incident were provided in the source material. The Commission’s statements about the March incident emphasized containment, continued availability of its web services, and the lack of impact on internal systems. The overall situation involves an alleged data exfiltration from AWS‑hosted Commission resources, a claim of impending public leakage, and a prior unrelated mobile‑device‑infrastructure alert.