European Commission cloud breach: a supply-chain compromise

Foreword

In the interest of transparency, and in full agreement with the European Commission, CERT-EU is publishing this blog post to inform the wider community about a cybersecurity incident affecting the European Commission’s public website platform “europa.eu” hosted on Amazon Web Services (AWS) cloud infrastructure.

CERT-EU was notified of this incident on 25 March 2026 by the European Commission, in accordance with Article 21 of Regulation (EU, Euratom) 2023/2841 (the “Cybersecurity Regulation”), which requires the Union institutions, bodies, offices and agencies (Union entities) to report significant incidents to CERT-EU without undue delay. CERT-EU has been providing support in accordance with Article 22 of the same Regulation.

On March 27, the European Commission publicly disclosed the incident through a press release.

Key points

• On March 24, the European Commission’s Cybersecurity Operations Centre received alerts about potential misuse of Amazon APIs, potential account compromise, and an abnormal increase in network traffic. On March 25, CERT-EU was informed.
• We assess with high confidence that initial access was obtained through the Trivy supply-chain compromise, which was publicly attributed to a threat actor known as TeamPCP.
• A significant volume of data (about 91.7 GB compressed) was exfiltrated from the compromised AWS account, including personal data such as names, email addresses, and email content.
• On March 28, the data extortion group ShinyHunters made the stolen data publicly available on their dark web leak site.
• The compromised account is part of the technical infrastructure that drives multiple websites of the European Commission. Data pertaining to at least 29 other Union entities may be affected.
• We assess that the rise in supply-chain compromises poses a significant threat. We strongly encourage all organisations to implement the recommendations in this post.

What happened

On March 25, CERT-EU received a notification from the European Commission that one of their AWS cloud accounts had been compromised. The first alerts, indicating potential misuse of Amazon APIs, potential account compromise, and an unusual volume of network traffic, had been detected by their Cybersecurity Operations Centre (CSOC) team the previous day.

An investigation uncovered that a malicious actor acquired an Amazon Web Services (AWS) secret (an API key) on March 19 through the Trivy supply chain compromise. This key granted control over other AWS accounts affiliated with the European Commission. On the same day, the threat actor attempted to discover additional secrets by launching TruffleHog, a tool commonly used for scanning secrets and validating AWS credentials by calling the Security Token Service (STS). STS is an AWS service that generates short-lived security credentials for accessing AWS resources and verifying identities.

The threat actor used the compromised AWS secret to create and attach a new access key to an existing user, aiming to evade detection. They then carried out reconnaissance activities.

The European Commission swiftly revoked the compromised account’s rights to block any illegitimate access. All compromised access keys have been deactivated or deleted.

How it happened

The European Commission and CERT-EU have assessed with high confidence that the initial access vector was the Trivy supply-chain compromise, publicly attributed to TeamPCP by Aqua Security. The firm has provided comprehensive details on this compromise in its advisory.

This assessment is based on three main factors:

• The timing of the Trivy supply-chain compromise coincides with the observed initial compromise on March 19.
• The specific resources being targeted: AWS credentials and cloud infrastructure.
• The European Commission was unwittingly using a compromised version of Trivy during the relevant timeframe, having received it through normal software update channels.

According to Aqua Security, TeamPCP's tooling is designed to operate within CI/CD pipelines and exfiltrates harvested secrets via multiple channels, including typosquatted domains, GitHub repositories, and Cloudflare tunnels.

What data was taken

The threat actor used the compromised AWS secret to exfiltrate data from the affected cloud environment. The exfiltrated data relates to websites hosted for up to 71 clients of the Europa web hosting service: 42 internal clients of the European Commission, and at least 29 other Union entities.

On March 28, the data extortion group ShinyHunters published the exfiltrated dataset on their dark web leak site, claiming to have stolen “data dumps of mail servers, datavases [sic], confidential documents, contracts, and much more sensitive material”. The published dataset was approximately 91.7 GB compressed (340 GB uncompressed).

Analysis of the published dataset has so far confirmed the presence of personal data, including lists of names, last names, usernames, and email addresses, predominantly from the European Commission’s websites but potentially pertaining to users across multiple Union entities.

The dataset also contains at least 51,992 files related to outbound email communications, totalling 2.22 GB. The majority of these are automated notifications with little to no content. However, “bounce-back” notifications, which are responses to incoming messages from users, may contain the original user-submitted content, posing a risk of personal data exposure.

The analysis of the databases linked to the hosted websites is underway. Given the volume and intricate nature of the data involved, this process requires a considerable amount of time.

Lateral movement

The threat actor obtained management rights for the compromised AWS secret, which could have allowed them to move laterally to other AWS accounts belonging to the European Commission. However, no indication of such movement has been uncovered so far.

What the European Commission did

The European Commission took the following response actions:

• Immediately secured the compromised AWS secret and disabled the newly created access keys involved in the threat actor’s activities.
• Sent a breach notification to their Data Protection Controller (DPC) and the potentially affected Union entities’ Data Protection Officers (DPOs).
• Notified the European Data Protection Supervisor (EDPS), as required under Regulation (EU) 2018/1725 for personal data breaches involving Union institutions.
• Starting on March 31, began communicating directly with the identified impacted clients of the Europa web hosting service through dedicated meetings to inform them of the incident and the measures taken.

The European Commission’s press release of March 27 confirmed that its internal systems were not affected and that it would continue to monitor the situation and take all necessary measures to ensure the security of its systems and data.

Who else is affected

The compromised AWS cloud account forms part of the technical backend of the “europa.eu” web hosting service. This service supports several public websites of the European Commission and other Union entities. As noted above, exfiltrated data may pertain to 42 internal clients of the European Commission, and at least 29 other Union entities using the service.

No websites were taken offline or tampered with by the threat actor, and no service interruptions have been observed.

The European Commission has already initiated direct communications with the identified impacted clients (see Response section above), facilitated where relevant by CERT-EU. Should the ongoing analysis of the exfiltrated databases yield further findings, additional details on specific exposure will be shared directly with the affected parties.

Timeline

Tactics, Techniques and Procedures (TTPs)

What to do

Immediate

Address the Trivy supply-chain compromise. As a priority, organisations using Trivy should:

• Update to a known-safe version as identified by Aqua Security.
• Rotate all AWS secrets and credentials that may have been exposed to Trivy during the compromise window.
• Audit Trivy versions deployed across all environments, including CI/CD pipelines.
• Pin all GitHub Actions to full SHA hashes rather than mutable tags.
• Search CI/CD logs and environments for exfiltration artefacts associated with TeamPCP (e.g., connections to typosquatted domains, unexpected Cloudflare tunnel activity).

Audit and rotate AWS credentials. Review all AWS access keys, particularly those accessible from CI/CD pipelines. Deactivate any keys that are unused, over-privileged, or that may have been exposed. Enable and review AWS CloudTrail logs for indicators consistent with this incident, including anomalous STS calls, use of TruffleHog, creation of new access keys on existing users, and lateral movement.

Short-term

Restrict CI/CD pipeline access to cloud credentials. Review whether CI/CD pipelines have access to AWS secrets. Where they do, ensure credentials are scoped to the minimum required permissions. Consider implementing AWS Service Control Policies (SCPs) to restrict sensitive API actions at the organisation level.

Implement vendor risk management for CI/CD dependencies. Establish release verification and vendor risk assessment processes for third-party CI/CD tooling. This includes verifying signatures on tool updates, maintaining an inventory of pipeline dependencies, and subscribing to security advisories for critical components. The Trivy compromise demonstrates that trusted vendors can become vectors for malicious code distribution.

Implement behavioural monitoring for CI/CD environments. Deploy behavioural monitoring and real-time alerting to detect anomalous CI/CD activity, such as unexpected secret access, outbound connections to unknown endpoints, or atypical API usage patterns. This enables early identification of supply-chain compromises before data exfiltration occurs.

Continuously

Enforce least privilege and credential hygiene. Apply least privilege principles across all cloud accounts and CI/CD service accounts. Implement regular credential rotation schedules, restrict access to credential storage mechanisms, and monitor for suspicious credential-related activity. Refer to MITRE mitigations M1043 (Credential Access Protection) and M1018 (User Account Management) for additional guidance.

Monitor for secondary exploitation of disclosed data. Given that the exfiltrated dataset has been publicly released, organisations whose data may be affected should monitor for targeted phishing or social engineering attempts leveraging the disclosed personal information (names, e-mail addresses, e-mail content). Raise awareness among staff accordingly.

Maintain software update and vulnerability scanning practices. Ensure all systems, applications, and CI/CD tooling are kept up to date with security patches. Conduct regular vulnerability scans to identify misconfigurations, unpatched software, or other weaknesses. Refer to MITRE mitigations M1051 (Update Software) and M1016 (Vulnerability Scanning) for additional guidance.

Legal framework

This incident and CERT-EU’s involvement fall within the framework of Regulation (EU, Euratom) 2023/2841 of the European Parliament and of the Council of 13 December 2023, laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union. Relevant provisions include:

• Article 21 (Reporting obligations) – requires Union entities to notify CERT-EU of significant incidents without undue delay, within 24 hours of becoming aware of them.
• Article 22 (Incident response coordination and cooperation) – mandates CERT-EU to provide support to the affected Union entity and to coordinate the response with relevant stakeholders.
• Article 17 (Cooperation with Member State counterparts) – provides for CERT-EU to cooperate and exchange incident-specific information with national CSIRTs and competent authorities.
• Article 20 (Cybersecurity information-sharing arrangements) – enables the voluntary sharing of cybersecurity information between Union entities and with relevant counterparts to improve collective detection and response capabilities.

References

• European Commission press release (IP/26/748)
• Aqua Security: Trivy Supply-Chain Attack — What You Need to Know
• Regulation (EU, Euratom) 2023/2841 (Cybersecurity Regulation)
• The Register: 1K cloud environments infected following Trivy supply-chain compromise
• BleepingComputer: European Commission confirms data breach after Europa.eu hack
• BleepingComputer: European Commission investigating breach after Amazon cloud hack

About CERT-EU

CERT-EU is the Cybersecurity Service for the Union institutions, bodies, offices and agencies, established under Regulation (EU, Euratom) 2023/2841. Under the Cybersecurity Regulation, CERT-EU acts as the central cybersecurity hub for all Union entities, providing threat intelligence, incident response coordination, vulnerability management, and security guidance. CERT-EU also supports Union entities in implementing their cybersecurity risk-management frameworks and issues calls for action to raise the collective level of cybersecurity across the EU institutional ecosystem.

CERT-EU is a member of the CSIRTs Network, the network of national Computer Security Incident Response Teams established under the NIS2 Directive (Directive (EU) 2022/2555). The CSIRTs Network facilitates operational cooperation and the exchange of cybersecurity information between EU Member States and Union entities, enabling coordinated responses to cross-border cyber incidents.

CERT-EU also maintains a structured cooperation with ENISA, the European Union Agency for Cybersecurity, as provided for under Regulation (EU) 2019/881 (the Cybersecurity Act). This cooperation covers areas such as cyber threat analysis and the sharing of threat landscape assessments.