Introduction
In March 2026, the European Commission was hit by a data breach affecting its cloud infrastructure. The incident involved dozens of European Union entities and led to the publication of hundreds of gigabytes of data on the dark web. This case illustrates in very concrete terms how vulnerable even large public institutions can be when the threat comes from an unexpected point in the software supply chain.
What happened
It all began on March 19, 2026, when a group identified as TeamPCP gained unauthorized access to the European Commission’s cloud infrastructure, hosted on Amazon Web Services. The access was achieved by exploiting a vulnerability within Trivy, a widely used software tool designed to analyze the security of computer systems. In other words, the attackers did not directly target the Commission, but instead compromised a third-party tool that the Commission trusted. This type of attack is called a supply chain compromise.
Through this entry point, the attackers were able to steal a cloud services access key, which allowed them to move within the systems, explore the available data, and ultimately copy it. The breach was detected on March 24, 2026, five days after the initial access. On March 28, the data was published on the dark web by the group ShinyHunters. In total, approximately 350 gigabytes of data were stolen, equivalent to roughly 91.7 gigabytes when compressed. Among the exfiltrated information were names, email addresses, and messages belonging to individuals. The attack affected 42 internal customers of the Commission and at least 29 other European Union entities. Attribution of the initial access to the TeamPCP group was carried out by Aqua Security, the company behind Trivy, and by CERT-EU, the European Union’s computer emergency response team.
Why it matters
This incident demonstrates that even organizations with significant resources and well-established security procedures can be compromised through third-party software considered trustworthy. The number of entities involved — at least 71 between internal and external — shows how a single compromised access point can have far-reaching consequences. The personal data published on the dark web could be used for phishing attempts or other illicit purposes targeting the individuals whose data was exposed.
What organizations and users can do
Organizations should regularly audit the third-party software they use, including tools designed for security purposes. Monitoring access to cloud systems and limiting privileges to only what is strictly necessary are fundamental practices. Anyone who may have been affected should pay particular attention to suspicious emails in the coming months.
Final takeaways
- Security tools themselves can become attack vectors if they are not kept up to date and properly monitored.
- Five days can be enough to exfiltrate hundreds of gigabytes of sensitive data.
- Cooperation between private vendors and public institutions — as demonstrated by Aqua Security and CERT-EU — is essential for responding swiftly.
Sources:
https://www.csoonline.com/article/4154176/cert-eu-blames-trivy-supply-chain-attack-for-europa-eu-data-breach.html
https://cert.europa.eu/blog/european-commission-cloud-breach-trivy-supply-chain
https://www.helpnetsecurity.com/2026/04/03/european-commission-cloud-breach/
https://www.securityweek.com/european-commission-confirms-data-breach-linked-to-trivy-supply-chain-attack/
Source: SecurityWeek