Menu
Browse

Cyber Incident Victim: European Commission

Date:

Jan 2026

Location:

Belgium

Summary

The European Commission experienced two cyberattacks: one compromised its mobile device management infrastructure, exposing staff names and phone numbers and was contained within nine hours; the other targeted its cloud infrastructure hosting the Europa web platform, with early signs of data exfiltration, also swiftly contained. No group was identified in either incident.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 0 motives 1 technique
Threat Actors Type Location
0 actors Available to members Available to members

Description

On January 30 2026 the European Commission’s central infrastructure team that manages mobile devices detected signs of a cyberattack affecting its Endpoint Manager Mobile (EPMM) platform. According to CERT‑EU, the incident was discovered on that date and involved systems used for the management of mobile devices. The commission’s swift response ensured the incident was contained and the affected systems were cleaned within nine hours. CERT‑EU stated that no compromise of mobile devices was detected, but noted that hackers might have accessed personal information pertaining to some European Commission staff members, such as names and phone numbers. The commission disclosed the incident publicly on February 5 2026, at which time it did not name EPMM as the culprit, although subsequent reporting by Dark Reading confirmed that the breach originated from the Ivanti EPMM zero‑day vulnerabilities disclosed on January 29 2026. Valtori, Finland’s public managed services provider, reported a similar breach on the same day, noting that it was compromised through a vulnerability in a commercial mobile device management service that matched the publicly disclosed Ivanti flaw.

Cyber Incident Image

On March 24 2026 the European Commission announced that it had been targeted by a cyberattack impacting its cloud infrastructure that hosts the Europa web platform. Early findings suggested that data exfiltration may have occurred, though the commission said it contained the incident swiftly. The commission did not attribute the attack to any specific group or individual and provided no further details about the scope of data that might have been exfiltrated. The statement emphasized that the response had been rapid and that the incident was under review as part of the commission’s broader cybersecurity initiatives.

Following the January incident, the commission indicated that it would review the security of its systems and take additional precautions if needed, while CERT‑EU said it would conduct a thorough review of the event to help improve the commission’s cybersecurity capabilities. The March incident prompted a similar commitment to review and strengthen defenses, though no specific remedial actions were detailed in the public statements. Both episodes were addressed through internal containment measures, timely disclosure, and pledges to assess and enhance security posture, with no reported compromise of mobile devices in either case. No further technical specifics or attacker identities were made available in the sources provided.

Sources
Sources available to members
4 sources