The European Commission has acknowledged that hackers might have accessed data from the cloud infrastructure supporting its Europa.eu platform.
In a statement released on March 27, the Commission confirmed the detection of a cyber-attack on March 24 and noted that it took “immediate steps” to investigate and mitigate the breach.
“The Commission's prompt response ensured the incident was contained and risk mitigation measures were implemented to safeguard services and data, without affecting the availability of the Europa websites,” the statement elaborated.
“Preliminary findings from our ongoing investigation indicate that data has been extracted from those websites. The Commission is appropriately informing the Union entities that may have been impacted by the incident. Our services are still assessing the full ramifications of the incident.”
The Commission indicated that its “internal systems” were not affected by the attack and that it will maintain oversight of the situation, analyze the incident, and leverage any findings to “further enhance its cybersecurity capabilities.”
According to screenshots shared on X (formerly Twitter), the extortion group ShinyHunters claims to have compromised over 350GB of data from the European Commission, which includes dumps from mail servers, databases, confidential documents, contracts, and other sensitive information.
Additional screenshots purportedly published by ShinyHunters seem to display the personally identifiable information (PII) of employees.
Security analysts at the International Cyber Digest reported that the hackers accessed emails, DKIM signing keys, internal admin URLs, along with data from the content collaboration platform NextCloud and the military financing tool Athena. There may also have been a complete single sign-on (SSO) user directory compromised.
ShinyHunters On the Prowl
ShinyHunters is a notorious hacking group with a history of targeting high-profile victims. Their most significant campaign involved stealing SSO credentials and Salesforce data from companies such as Google, Chanel, Pandora, Panera Bread, Match Group, and many others last year. They followed that with another campaign earlier this month that targeted Experience Cloud websites.
The group is known for its vishing tactics; in some instances, they impersonate IT helpdesk personnel during calls to victims, deceiving them into providing their credentials on phishing sites that mimic legitimate corporate portals.
The exact method of the breach affecting the European Commission remains unclear. Reports suggest that the incident involved data stored in the Commission's AWS environment, although the cloud provider has confirmed that its services were not compromised. Unverified discussions on social media have indicated that the EU security agency ENISA may also have been affected.
Nick Tausek, lead security automation architect at Swimlane, expressed concerns that the breach could lead to identity risks, operational disruptions, and subsequent spear-phishing attacks.
“The attacker asserting they will refrain from extortion does not lessen the severity of the situation; it merely alters the approach,” he remarked. “A quiet leak can be equally damaging to trust, diplomacy, and ongoing investigations, compelling defenders to navigate a complicated mix of containment, forensics, and communication while the organization is still determining what has been breached and what remains exposed.”
