EU Data Breach Exposes 92GB of Commission Secrets — And Two Hacker Groups Are Behind It
A massive EU data breach has struck at the heart of European governance. The European Union's own cybersecurity agency has confirmed that criminal hackers infiltrated the European Commission's cloud infrastructure, stealing 92 gigabytes of compressed data — including names, email addresses, and private email contents. If you are wondering who is behind this cyberattack on the EU, two separate hacking groups are now at the center of the investigation.
 |
| Credit: Nicolas Economou/NurPhoto / Getty Images |
What Happened: Inside the European Commission Cyberattack
The story begins on March 19, when hackers first gained access to a secret API key linked to the European Commission's Amazon Web Services account. This was not a random attack. According to the EU's cybersecurity body, CERT-EU, the breach traces back to a compromised version of an open source security tool called Trivy.
The Commission had unknowingly downloaded a tampered copy of Trivy following an earlier supply chain attack targeting the project itself. That single download gave hackers the foothold they needed. Once inside, they pivoted through the cloud environment and began quietly siphoning off data at scale.
The breach affected the Commission's Europa.eu cloud platform — the digital backbone used by EU member states to host institutional websites and publications. This was not a fringe system. It was central infrastructure touching dozens of agencies across the bloc.
92 Gigabytes Stolen: What Data Was Exposed
The scale of the EU data breach is striking. CERT-EU confirmed that approximately 92 gigabytes of compressed data was taken from the compromised AWS account. This included personal information such as names and email addresses, as well as the actual contents of email messages.
Investigators found that close to 52,000 files contained sent email messages. While the agency noted that the majority of these are automated system emails with little content, bounced-back messages are a serious concern. Those bounce-back emails can contain the original text submitted by real users, creating direct exposure of personal data.
At least 29 other EU entities may also have been affected. Dozens of internal European Commission clients could similarly have had their data stolen, making this one of the most wide-reaching institutional data breaches in EU history.
Two Hacker Groups, One Breach: How TeamPCP and ShinyHunters Are Connected
One of the most unusual aspects of this incident is CERT-EU's attribution of the attack to two distinct criminal groups — something rarely seen in cybersecurity investigations.
The initial intrusion and data theft is attributed to a cybercriminal group called TeamPCP. This group has a documented history of ransomware attacks and cryptocurrency mining campaigns. More recently, according to cybersecurity researchers at Palo Alto Networks Unit 42, TeamPCP has been running a systematic campaign of supply chain attacks — deliberately targeting widely used open source security tools to harvest sensitive API keys from unsuspecting organizations.
The stolen data did not stay quiet for long. A second, well-known hacking collective called ShinyHunters subsequently obtained some of the data that TeamPCP had taken in earlier attacks and published it online. A member of ShinyHunters confirmed this directly to journalists, saying they had taken a portion of the previously stolen data and leaked it publicly.
By targeting developer-facing tools and credential stores, these hackers gain the ability to hold compromised organizations hostage — demanding ransom payments in exchange for not releasing or further exploiting the data.
Why a Supply Chain Attack on an Open Source Tool Is So Dangerous
The entry point for this EU cyberattack — an open source security scanner called Trivy — reveals a growing and deeply troubling pattern in modern cybercrime. Supply chain attacks work by poisoning software that organizations already trust and actively use.
When an open source project like Trivy gets compromised, every organization that downloads a new version or update becomes a potential victim. The attack does not need to break through firewalls or defeat endpoint security. It simply waits for the target to unknowingly invite it in.
Aqua Security, the company behind Trivy, has linked TeamPCP to multiple previous incidents of this kind. The group appears to be deliberately and systematically hunting for trusted open source tools with large user bases — the higher the adoption, the broader the potential damage from a single compromise.
This is not a problem limited to the European Commission. Any organization that uses open source software in its development or security pipeline faces similar exposure if that software is targeted.
The Europa.eu Platform: Why This Target Matters
The breach of the Europa.eu cloud platform carries significance beyond the raw data numbers. This platform is not a single government department's system — it is shared infrastructure used by member states and institutions across the entire EU bloc to publish official content, host public websites, and manage institutional communications.
A compromise at this level means that the blast radius of a single successful attack extends far beyond one agency. It can touch dozens of institutions simultaneously, which is exactly what happened here. CERT-EU confirmed that at least 29 separate EU entities may have had data exposed through this single intrusion.
This kind of shared infrastructure creates efficiency for governments but also concentrates risk. One weak link — in this case, a downloaded security tool — can cascade across an entire ecosystem.
What Comes Next: CERT-EU's Response and the Road Ahead
CERT-EU has confirmed it is already in contact with all affected organizations. The agency is continuing to analyze the data that was published online to fully understand the scope of personal data exposure.
The European Commission itself has not yet issued a detailed public response, with spokespeople indicating the body would respond after an upcoming scheduled closure period. That delay, while procedurally understandable, may draw scrutiny given the scale of the breach and the sensitivity of the data involved.
For cybersecurity professionals and policymakers watching this case, the incident reinforces several hard lessons. First, supply chain security is no longer optional — even trusted tools can become weapons. Second, cloud credentials like API keys must be treated with the same care as physical access badges to secure facilities. A single exposed key was all it took to crack open 92 gigabytes of EU Commission data. Third, the collaboration between two separate criminal groups to steal and then publicly leak data suggests a maturing and increasingly interconnected criminal ecosystem that traditional attribution models struggle to capture.
What This Breach Means for Cybersecurity Across Europe and Beyond
The EU data breach is a warning that applies well beyond Brussels. Governments, corporations, and institutions around the world rely on open source tooling, cloud infrastructure, and shared platforms in ways that create systemic vulnerabilities. The tactics used by TeamPCP — compromising trusted software to harvest credentials at scale — are already being replicated by other criminal groups globally.
For everyday citizens, the exposure of names, email addresses, and email contents from EU institutional systems is a reminder that even the most powerful and well-resourced organizations are not immune to cyberattacks. The sophistication of the attack, the scale of the data stolen, and the involvement of multiple criminal actors all point to a new era of organized, strategic cybercrime targeting critical public infrastructure.
The EU will need to not only respond to this breach but fundamentally reassess how it manages shared cloud infrastructure, vets open source dependencies, and protects the credential stores that serve as the keys to its most sensitive systems.
The hackers found one unlocked door. What remains to be seen is how many others are still open.
