The European Commission has confirmed a cyberattack affecting its Europa.eu web platform, with initial reports indicating that the attackers accessed the data from the cloud infrastructure provided by AWS.
The incident was detected on 24 March, with the commission stating that the attack was contained while the investigation is still underway.
Actors affiliated with the ShinyHunters group have claimed responsibility, stating that they accessed over 350 gigabytes of data from the commission’s databases and internal documents. The Commission stated that the group accessed some of its data but did not verify the full extent. It said those affected are being notified.
In a statement, the Commission said its internal systems were not affected by the cyber-attack. “The Commission will continue to monitor the situation and take all necessary measures to ensure the security of its internal systems and data. It will analyse the incident and use the results to further enhance its cybersecurity capabilities.”
Exposed digital assets are prime targets
Lydia Zhang, President & Co-Founder of Ridge Security Technologies, said: “Continuously exposed external digital assets, such as public websites and AWS S3 buckets, have become prime attack targets, especially with the rise of AI-driven automated threats. Organizations must strengthen their security posture; continuously scanning, testing, and remediating vulnerabilities across these interfaces is no longer optional, but essential.”
Noelle Murata, Sr. Security Engineer at Xcape Inc, added: “The business impact has escalated from a simple web defacement to a massive Identity and Access Management (IAM) crisis, as the breach likely involves the theft of DKIM keys and SSO directories. This means the adversary can now generate perfectly authenticated emails that bypass DMARC checks, turning the Commission’s own reputation into a weapon for secondary spear-phishing campaigns across the EU.”
A failure of identity hygiene
She said the technical post-mortem indicates a failure of identity hygiene rather than a cloud security flaw. “AWS has publicly cleared its own name, pointing to compromised credentials – likely harvested via the group’s signature vishing tactics against IT helpdesks.”
For defenders, Murata said the priority is no longer just “containing” the breach but an immediate, wholesale rotation of all cloud-based signing keys and a mandatory password reset for the entire SSO tenant. “Furthermore, organizations interacting with the EC should treat all incoming “official” correspondence with extreme skepticism, even if it passes cryptographic validation. The reality is that if your identity provider is compromised, your “secure” cloud is effectively an open book. The EU is about to find out that GDPR compliance is a lot harder to enforce when you’re the one filling out the self-report form.”
Organizations need stronger visibility
Phil Wylie, Senior Consultant & Evangelist, at Suzu Labs, commented: “This attack shows that threat actors do not always need to penetrate core internal networks to create risk. Public-facing cloud environments often contain valuable operational data that can support reconnaissance, social engineering, and follow-on attacks.”
Wylie added that most cloud breaches are not failures of the provider but issues around identity security, access management, or configuration. “The real lesson here is that organizations need stronger visibility into how cloud data is accessed and moved, not just whether malware is present. Even if the affected systems were isolated, any confirmed data exfiltration should be treated as potential intelligence exposure that could enable future targeting.”
The potential blast radius determines true impact
Rajeev Raghunarayan, Head of GTM at Averlon, said: “Cloud breaches are rarely contained to the system where the compromise started. The real question is what that system had access to, regardless of whether it was considered external or internal. Public-facing applications are often connected to backend services, databases, and storage, and a compromise can expose far more than the initial entry point suggests. The separation between external and internal systems can limit blast radius, but only if access across those layers is tightly controlled, whether through network paths, vulnerabilities, misconfigurations, or identity permissions.
According to Raghunarayan, the priority for organizations is understanding what data and systems were reachable from the compromised environment, not just what was directly affected. “That potential blast radius is what determines the true impact and guides an effective response.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.