On March 24, 2026, the executive of the 27-country European Union, the European Commission, announced that its Europa.eu web platform, which is stored on cloud computing infrastructure, had been the victim of a cyberattack.
The attacker made direct calls to journalists instead, gave evidence of access and said they were planning to publicly release the data instead of seeking extortion.
The hacker had infiltrated the cloud of the Commission at least one Amazon Web Services (AWS) account. Amazon assured that its services were functioning accordingly, which again points to the concept of account abuse based on credentials, instead of an issue with the actual cloud systems. Credential-based intrusions, where attackers can access a system using stolen or weak logins over software vulnerabilities, are one of the most widespread entry points in attacks in a cloud environment.
The Commission acted promptly to curtail the damage. As soon as the breach was found, risk mitigation measures were introduced, and the internal systems of the Commission were not impacted. The targeted environment was Europa. Eu, where Commission websites are publicly located. The Commission is currently informing the European Union entities that might have been affected by the incident and is still investigating the extent of the intrusion.
There is no person or organization that has been publicly known to have been behind the attack. The Commission has not accredited the intrusion to any state agency or illegal group, and no reaction to the violator's claims was to be disclosed by Brussels during the period of publication.
Cloud Threats Against EU Institutions Rising
Artificial intelligence is increasing the pace and volume of such intrusions, and account abuse by credentials continues to be a common entry point into governmental and institutional intended targets.
The Commission had been working on its cyber defenses in the pre-breach period. Only eight days before the attack, the EU put in place a new set of against Chinese and Iranian actors on March 16, which is an indication that Brussels is increasingly worried about the threat of state actors attacking European institutions through the Internet. The larger policy framework is indicative of a long-term EU focus on cyber resilience in the face of what government officials have termed an increasing threat to democratic institutions.
Policy communications, regulatory announcements and institutional information about the transatlantic trade, regulatory alignment and diplomatic exchanges between Washington and Brussels are posted. Long-term intrusion of Commission email infrastructure, assuming that the attacker is correct in his assertion of still having access to the server, would cast a shadow on the integrity of communications between the EU representatives and others in U.S. departments and agencies.
The fact that the Commission admitted that it lost data to an unknown party via its web platform, and that it made an unsubstantiated statement that it had been able to access its email servers forever, shows that the burden of proving that the breach is not still going on has been on the EU cybersecurity authorities.
