EU Commission says TeamPCP data breach impacted 29 Union entities

The EU Commission’s recent cloud breach has been linked to a supply-chain attack involving the Trivy security tool, with officials warning that data from at least 29 other EU entities may have been exposed.

Investigators say the attackers leveraged compromised software updates to access cloud systems and exfiltrate large volumes of data later leaked online.

According to a detailed disclosure published by CERT-EU, the incident was first detected on March 24, 2026, when the European Commission’s Cybersecurity Operations Centre (CSOC) identified suspicious Amazon Web Services (AWS) API activity, potential account compromise, and an unusual spike in network traffic. The Commission notified CERT-EU the following day, triggering a coordinated response under the EU Cybersecurity Regulation.

Subsequent analysis found with high confidence that the initial access occurred on March 19 through a supply-chain compromise of Trivy, an open-source vulnerability scanning tool widely used in CI/CD environments. The malicious campaign has been publicly attributed by Aqua Security to a threat actor tracked as TeamPCP, which distributed a trojanized version of the tool via legitimate update channels. This allowed attackers to harvest sensitive credentials from affected systems.

The European Commission, the EU’s executive body responsible for proposing legislation and implementing policy decisions, uses AWS infrastructure to power its europa.eu platform. This centralized hosting service supports numerous public-facing websites across EU institutions and agencies, making it a high-value target. The compromise of a single AWS secret key enabled attackers to access interconnected cloud resources tied to this platform.

Investigators determined that the attackers obtained an AWS API key with elevated privileges, which they used to establish persistence by creating additional access keys under existing accounts. They also deployed TruffleHog, a tool designed to scan environments for exposed secrets, and leveraged AWS Security Token Service (STS) calls to validate credentials and expand access. While this level of control could have enabled lateral movement across accounts, no evidence of such activity has been identified so far.

The primary objective appears to have been data exfiltration. CERT-EU estimates that approximately 91.7 GB of compressed data (around 340 GB uncompressed) was stolen. The dataset includes personal information such as names, usernames, email addresses, and email content, along with over 50,000 files related to outbound communications. While many of these messages were automated notifications, some “bounce-back” emails may contain user-submitted content, increasing the risk of sensitive data exposure.

On March 28, the ShinyHunters data extortion group published the stolen dataset on its dark web leak site. The exposed data is believed to affect up to 71 clients of the europa.eu hosting service, including 42 internal European Commission departments and at least 29 other Union entities, though the full scope is still under investigation.

In response, the Commission revoked compromised credentials, disabled unauthorized access keys, and notified relevant data protection authorities, including the European Data Protection Supervisor (EDPS). It also began direct outreach to impacted organizations on March 31. Officials reiterated that no internal systems were affected and that services remained operational throughout the incident.