CERT-EU, the European Union’s cybersecurity agency, has confirmed that the cybercriminal group TeamPCP orchestrated a massive data breach targeting the European Commission. The attackers exfiltrated approximately 92GB of compressed data from a compromised Amazon Web Services (AWS) account, including names, email addresses, and email contents. This breach hit the Europa.eu platform, a cloud service hosting websites and publications for EU institutions and agencies.
Later, another notorious hacking group, ShinyHunters, posted the stolen data online. CERT-EU’s report highlights the unusual collaboration-or at least sequential involvement-of two separate hacking gangs in this incident. ShinyHunters claimed to have obtained some of the data TeamPCP initially exfiltrated and then leaked it publicly.
What players and organizations need to know
The breach impacts not only the European Commission but also at least 29 other EU entities. Dozens of internal Commission clients may have had their data compromised. For organizations relying on EU digital infrastructure, this raises the risk of personal data exposure and potential phishing or targeted attacks. CERT-EU is already reaching out to affected parties, though the full extent of the leak remains under investigation.
Among nearly 52,000 files containing sent email messages, most are automated and pose low risk. However, emails that bounced back with errors might include original user-submitted content, increasing the risk of personal data leaks. If your organization interacts with EU institutions or uses Europa.eu services, stay vigilant for suspicious activity and review your data security measures.
How the breach happened
The attack began on March 19, when hackers obtained a secret API key linked to the Commission’s AWS account. This was possible because the Commission had inadvertently downloaded a compromised version of the open source security tool Trivy, which itself had been breached. Using the stolen API key, TeamPCP accessed and exfiltrated sensitive data from the Commission’s cloud storage.
Security researchers from Aqua Security and Palo Alto Networks Unit 42 connect TeamPCP to a broader campaign of supply chain attacks targeting open source projects. By compromising tools developers rely on, the group gains access to keys and credentials, enabling further attacks or even ransomware extortion attempts.
The bottom line
- If you use open source security tools, verify their integrity before deployment.
- EU organizations and partners should review cloud security and monitor for suspicious access or data leaks.
- Be prepared for increased phishing or social engineering attempts leveraging leaked personal data.
Speculation: With the European Commission closed until next week, more details may emerge as investigations progress. For now, this breach highlights the dangers of supply chain attacks and the critical importance of maintaining cloud credential hygiene.