Cyber Incident Victim: European Commission

On November 29, 2016, the European Commission publicly disclosed a distributed denial-of-service (DDoS) attack that disrupted its internet services for several hours the preceding week. The attack commenced in the afternoon and persisted until late evening, specifically targeting the Commission’s public-facing website and network gateways. This sustained bombardment overwhelmed infrastructure, degrading connectivity and preventing staff from accessing online resources required for routine operations. While no data exfiltration or breach occurred, the prolonged outage resulted in significant operational paralysis, with employees unable to perform work tasks during the incident window. A Commission spokesperson confirmed the attack’s cessation without complete service interruption but acknowledged temporary reductions in connection speeds that hampered productivity.

The Commission’s cybersecurity team engaged the EU Computer Emergency Response Team (CERT-EU) to investigate the incident’s origin and scope. Internal mitigation measures successfully halted the attack, though technical specifics of these countermeasures were not disclosed publicly. No attribution details—including potential threat actor identities, geographical origins, or motives—were released by investigators. The absence of data compromise was repeatedly emphasized in official communications, distinguishing the event from contemporaneous breaches affecting other EU institutions. CERT-EU’s probe remained ongoing at the time of reporting, with no further public updates on forensic findings or long-term remediation steps beyond immediate containment. Operational impacts were quantified solely as lost labor hours attributable to the network downtime.