The European Union’s cybersecurity agency, CERT-EU, has attributed a significant cloud data breach at the European Commission to the threat group TeamPCP, impacting at least 29 Union entities.

Key Points

• The breach originated on March 10 when TeamPCP used a stolen Amazon Web Services API key obtained via a Trivy supply-chain attack.
• Attackers utilized the TruffleHog tool to scan for additional credentials and evade detection within the European Commission’s cloud environment.
• The data extortion group ShinyHunters published a 90GB archive of stolen documents on the dark web on March 28.
• Compromised data includes personal information, usernames, email addresses, and over 51,000 files related to outbound email communications.
• The incident affected 42 internal European Commission clients and 29 other Union entities hosted on the europa.eu service.
• CERT-EU confirmed that no websites were tampered with and no lateral movement occurred beyond the initial cloud environment.

Why it Matters

This incident highlights the severe risks posed by supply-chain attacks and the potential for stolen API keys to bypass standard cloud security monitoring. The exposure of sensitive personal data across multiple European Union entities underscores the critical need for robust credential management and proactive threat detection in government cloud infrastructure.