### Breach Details The **European Commission** publicly acknowledged the data breach on March 27th, following inquiries from BleepingComputer. The incident stemmed from a compromise of the Commission's **Amazon Web Services (AWS)** cloud environment. **CERT-EU** was notified of the intrusion on March 24th, five days after the initial breach, highlighting a delay in detecting the malicious activity. ### Attack Vector: Stolen AWS Credentials On March 19th, **TeamPCP** exploited a compromised AWS API key, granting them management rights over other **European Commission** AWS accounts. The API key was stolen during the **Trivy** supply-chain attack. The attackers then used **TruffleHog**, a tool designed to scan and validate cloud credentials, to uncover additional secrets. To evade detection, they attached a newly created access key to an existing user account before proceeding with reconnaissance and data theft. ### TeamPCP's Modus Operandi **TeamPCP** has a history of orchestrating supply-chain attacks targeting developer code platforms such as **GitHub**, **PyPi**, **NPM**, and **Docker**. The group was also behind the compromise of the **LiteLLM PyPI package**, deploying the "TeamPCP Cloud Stealer" information-stealing malware that impacted tens of thousands of devices. ### Data Leak and Impact On March 28th, the data extortion group **ShinyHunters** published the stolen data on their dark web leak site. The archive, totaling 90GB (340GB uncompressed), contained names, email addresses, and email content. **CERT-EU**'s analysis confirmed the theft of tens of thousands of files containing personal information, usernames, and email content. The breach potentially affects 42 internal **European Commission** clients and at least 29 other Union entities using the europa.eu web hosting service.  "The threat actor used the compromised AWS secret to exfiltrate data from the affected cloud environment. The exfiltrated data relates to websites hosted for up to 71 clients of the Europa web hosting service: 42 internal clients of the European Commission, and at least 29 other Union entities," **CERT-EU** stated. The leaked dataset includes personal data such as names, usernames, and email addresses, predominantly from the **European Commission**’s websites but potentially pertaining to users across multiple Union entities. It also contains at least 51,992 files related to outbound email communications, totaling 2.22 GB. While the majority of these are automated notifications, "bounce-back" notifications may contain user-submitted content, posing a risk of personal data exposure. **CERT-EU** confirmed that no websites were taken offline or tampered with, and no lateral movement to other Commission AWS accounts was detected. The **European Commission** has notified relevant data protection authorities and is in direct communication with affected entities. Analysis of the exfiltrated data is ongoing and expected to take a considerable amount of time. This incident follows a previous data breach disclosed by the **European Commission** in February, which involved a compromised mobile device management platform used to manage staff devices.