European Commission Investigates Breach After Threat Actor Accesses Amazon Cloud Account
The European Commission is investigating a security breach after a threat actor gained unauthorized access to at least one Amazon cloud account used to manage part of its infrastructure, in an incident that may have exposed a significant volume of internal data.
According to reporting first published by BleepingComputer, the attacker claims to have stolen more than 350 GB of data, including multiple databases, screenshots, and information tied to internal systems. Reuters separately reported that the compromised environment supported the Commission’s Europa web platform and that initial findings indicate data was extracted from the affected websites.
The Commission has confirmed that it detected unauthorized access and launched an investigation, with its incident response team now working to determine the scope of the intrusion, what data may have been accessed, and whether the incident is connected to earlier security issues affecting European institutions.
The attacker reportedly told BleepingComputer that they do not intend to extort the Commission, but instead plan to leak the stolen material at a later time. The same report said the actor provided screenshots appearing to show access to employee-related information, an internal email server, and cloud-hosted resources.
That makes the incident especially notable. Unlike many recent public-sector breaches that revolve around immediate ransom demands, this case appears, at least for now, to center on unauthorized access and data exfiltration. If confirmed, that would raise the risk of future leaks, secondary phishing activity, or politically sensitive disclosures rather than a straightforward ransomware negotiation.
Reuters reported that the cyberattack targeted cloud infrastructure used for the Europa web platform and said the Commission’s internal systems were not compromised. That distinction matters because it suggests the incident may have been contained to a specific cloud environment rather than the Commission’s wider internal network, although the investigation remains ongoing and the final scope is not yet public.
BleepingComputer’s report also noted that the breach may be linked to the earlier wave of attacks involving Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities that affected the European Commission and other European institutions in early 2026. At this stage, no formal attribution has been announced, and the possible connection remains under investigation.
The earlier Ivanti-related incidents were already significant because they showed how weaknesses in management infrastructure could expose sensitive government systems and employee information. If this newer Amazon cloud account compromise is connected, it would suggest either follow-on activity from the same intrusion set or a broader pattern of threat actors pivoting across related administrative environments.
The incident also underscores a broader cloud security reality for public institutions. A compromise of a single privileged cloud account can create outsized risk if it governs storage, websites, communications components, or shared administrative assets. Even when the affected environment is narrower than the organization’s full internal network, the exposed data can still have operational, political, and reputational consequences.
For now, the European Commission says it is continuing to investigate the incident. Until more technical details emerge, the most important open questions are whether the attacker truly exfiltrated the claimed 350 GB of data, what kinds of records are included, and whether the intrusion shares infrastructure or tactics with the earlier Ivanti EPMM exploitation seen across Europe.
Reference Links and Sources
