Overview
The European Commission — the executive body of the European Union — is actively investigating a security breach after an unauthorized threat actor compromised one of its Amazon Web Services (AWS) accounts. The incident was reported on March 27, 2026, and represents the second significant breach to hit EU institutions within just a few months.
What Happened
A threat actor gained unauthorized access to the European Commission’s AWS cloud account and claimed to have exfiltrated over 350 GB of data, reportedly including multiple internal databases and information belonging to Commission employees.
Notably, AWS itself was not compromised. The company confirmed:
“AWS did not experience a security event, and our services operated as designed.”
This means the breach was an account-level compromise — the attacker got into the Commission’s cloud account, not into AWS infrastructure itself. This is a critical distinction and a common pattern in cloud breaches.
How Did This Happen?
The attack method has not been publicly disclosed yet. However, account-level cloud compromises typically occur through one or more of the following vectors:
- Credential theft — stolen IAM (Identity and Access Management) credentials via phishing or malware
- Exposed access keys — AWS access keys accidentally leaked in code repositories or configuration files
- Weak MFA — missing or bypassable multi-factor authentication on privileged accounts
- Third-party compromise — a vendor or contractor with access to the environment is breached first
Given that this is the Commission’s second breach in months (a prior incident in February 2026 involved mobile device management), it raises serious questions about their overall security posture.
Impact
- 350+ GB of data allegedly stolen, including internal databases
- Employee information exposed
- The threat actor has stated they will leak the data publicly but will not attempt extortion — making this a transparency and reputational risk rather than a ransomware scenario
- The full scope of the breach is still under investigation
Response
The Commission’s cybersecurity incident response team detected the breach quickly. However, at the time of reporting, no public disclosure had been made by the Commission itself — the incident became known through the threat actor’s claims and media reporting.
Key Takeaways
This breach is a textbook example of why cloud account security deserves as much attention as traditional network security. A few lessons:
- IAM hygiene matters — least privilege access, rotating keys, and auditing permissions regularly can limit the blast radius of a compromised account
- MFA on all privileged accounts — especially cloud console and API access
- Monitor for unusual data egress — 350 GB leaving your environment should trigger alerts
- Third-party risk — if contractors or vendors have access, their security posture becomes your risk
Cloud providers like AWS secure the infrastructure. Securing what’s on that infrastructure is entirely on you — this is the shared responsibility model in action.