Industry - Data Breach
Executive Summary
A threat group called TeamPCP breached the European Commission's Amazon cloud environment using a stolen API key, exposing personal data including names, email addresses, and email content from at least 30 EU entities. The attackers exfiltrated a 90GB dataset containing tens of thousands of files, which was subsequently published on the dark web by data extortion group ShinyHunters. The breach affected 42 internal European Commission clients and at least 29 other Union entities using the euro...
What Happened
On March 10, 2026, the threat group TeamPCP used a stolen Amazon Web Services API key to breach the European Commission's cloud environment, exfiltrating a 90GB dataset containing tens of thousands of files. The API key, which had been compromised in a prior supply-chain attack called Trivy, gave the attackers management rights over multiple European Commission AWS accounts. On March 28, the data extortion group ShinyHunters published the stolen data on their dark web leak site, exposing personal information including names, email addresses, usernames, and email content from users across European Commission websites and other EU entity platforms.
Who Is Affected
The breach affects users of 42 internal European Commission clients and at least 29 other European Union entities that use the europa.eu web hosting service, totaling up to 71 distinct organizations. Personal data exposed includes names, last names, usernames, email addresses, and the content of at least 51,992 outbound email files. The impacted individuals are predominantly associated with European Commission websites, but users across multiple Union entities are potentially affected.
Why It Matters
This incident demonstrates how supply-chain compromises can cascade into large-scale institutional breaches, affecting dozens of government entities through a single cloud environment. The five-day detection gap between the initial intrusion on March 10 and the alert on March 24 highlights vulnerabilities in cloud security monitoring for sensitive government infrastructure. The publication of the data on the dark web by a known extortion group increases the risk of further exploitation, identity theft, and targeted phishing attacks against EU personnel and citizens.
What You Should Do
If you are affiliated with any European Commission service or EU entity using europa.eu hosting, immediately change passwords for all accounts associated with those services and enable multi-factor authentication where available. Monitor your email accounts and financial statements for suspicious activity, as your email address and potentially email content may now be in the hands of cybercriminals. Be alert for phishing attempts that reference specific details from your communications, and report any suspicious emails to your organization's security team. Contact your organization's data protection officer to understand what specific data of yours may have been exposed and what additional protections are being implemented.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.
Sources
- CERT-EU: European Commission hack exposes data of 30 EU entities
- Europe’s cyber agency blames hacking gangs for massive data breach and leak - TechCrunch
- EU cyber agency attributes major data breach to TeamPCP hacking group
- EU cyber agency attributes major data breach to TeamPCP hacking group - The Record from Recorded Future News
- CERT-EU blames Trivy supply chain attack for Europa.eu data breach - csoonline.com