The European Commission confirmed unauthorized access to its Amazon Web Services cloud infrastructure following a March 2026 cyberattack, with the incident now linked to the TeamPCP threat group. The breach was disclosed after investigators identified compromised credentials and data exposure affecting multiple EU entities.
According to findings from CERT-EU, attackers gained access to cloud-hosted resources tied to the Commission’s europa.eu infrastructure, impacting websites and services used by at least 30 EU organizations. Early assessments indicate that data was exfiltrated from the affected environment, though the full scope remains under investigation.
Attack method tied to supply-chain compromise
The intrusion has been attributed with high confidence to a supply-chain attack involving a compromised version of the Trivy security scanning tool. Investigators determined that attackers obtained an AWS API key around March 19, which provided access to Commission cloud resources.
Using the compromised credential, the threat actor conducted reconnaissance activity and attempted to identify additional secrets within the environment. Tools such as TruffleHog were reportedly used to scan for exposed credentials and validate access across AWS services.
The attackers also created new access keys within the environment, likely as a persistence mechanism to maintain access while avoiding detection.
Data exposure spans multiple EU entities
Analysis indicates that the breach affected up to 71 clients hosted within the europa.eu infrastructure, including 42 European Commission entities and at least 29 additional EU organizations. Tens of thousands of files were reportedly exfiltrated from the environment.
The exposed data is believed to include website-related databases, email files, and user information such as names, usernames, and email addresses. While much of the data appears to be tied to public-facing services, the presence of user-submitted content and internal communications increases the potential sensitivity of the breach.
Timeline suggests multi-day undetected access
Investigators believe the initial compromise may have occurred as early as March 10, with confirmed malicious activity beginning around March 19 following the acquisition of AWS credentials. The European Commission detected the intrusion on March 24 after identifying unusual API activity and abnormal network traffic within its cloud environment.
The incident was contained shortly after detection, and no disruption to public-facing websites was reported.
Organizational response and ongoing investigation
The European Commission notified affected entities and is working with CERT-EU, AWS, and external cybersecurity experts to assess the full impact of the breach.
The organization stated that its internal systems were not affected and that the compromise was limited to specific cloud-hosted services. It has since implemented containment measures and is continuing to strengthen its cloud security posture.
The investigation remains ongoing, with further analysis required to determine the complete scope of the data exposure and any potential downstream risks associated with the incident.
