Cyber Incident Victim: European Commissions Cybersecurity Atlas
Date:
Aug 2021
Location:
Belgium
Summary
A threat actor breached the European Commission's Cybersecurity Atlas project, obtaining and attempting to sell a backend database dump containing contact details of cybersecurity experts, organizations, universities, and government entities across Europe. The compromised data included usernames, email addresses, institutional affiliations, full names, physical addresses, and geolocation coordinates used for mapping members. While much of this information was publicly accessible by design, forensic analysis confirmed the dataset originated from a direct intrusion into the Commission's Drupal-based servers rather than web scraping. The primary security concern centered on potential misuse of this privileged access to launch phishing or watering hole attacks impersonating the Commission's platform. In response, officials took the Atlas website offline for maintenance and initiated an investigation with CERT-EU to assess the intrusion's scope and impact.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 2, 2021, the European Commission initiated an investigation following the appearance of a backend database from its Cybersecurity Atlas project for sale on an underground cybercrime forum. The Cybersecurity Atlas, operational since 2018, functioned as a public directory mapping European cybersecurity experts and organizations to facilitate collaboration, displaying contact details, institutional affiliations, and geographic locations of registered entities. A threat actor advertised access to the complete database, offering it for sale via Discord, and claimed possession of an SQL database dump from the project’s Drupal-based website. The Record verified the authenticity of the leaked data through an independent acquisition, confirming it contained usernames, email addresses, full names of contacts, organizational addresses, and geolocation coordinates used for mapping purposes. While the Atlas was designed to publicly display participant information, the compromised data originated from a direct breach of the backend servers rather than a scrape of publicly visible content, indicating unauthorized access to the Commission’s internal systems.
The European Commission responded by taking the Atlas website offline for maintenance and engaging CERT-EU, its dedicated cybersecurity response team, to analyze the intrusion. An EC spokesperson stated that immediate measures were implemented but did not disclose technical specifics of the breach or mitigation steps. The incident raised concerns about potential secondary threats, as attackers could have exploited backend access to manipulate the platform for phishing or watering hole attacks against registered experts, leveraging the Commission’s trusted domain. The breach occurred against a backdrop of heightened cyber threats targeting EU institutions, with CERT-EU reporting 1,432 security incidents across EU bodies in 2020—the highest annual tally in the team’s decade-long history. No evidence suggested misuse of the stolen data beyond its attempted sale, and the Commission maintained focus on securing the system while investigating the intrusion’s scope and origins.