The European Commission confirmed on March 27 that hackers breached its Amazon Web Services account and stole over 350GB of data, including databases and employee information. The attackers say they plan to leak everything publicly.
The breach hit the cloud infrastructure hosting Europa.eu, the Commission’s official web platform. Internal IT systems weren’t affected, according to officials, but the organization is still investigating exactly what data the attackers accessed.
What Happened
On March 24, 2026, the Commission detected unauthorized access to its AWS-hosted cloud systems. The threat actor, identified as ShinyHunters — a cybercriminal group known for high-profile data dumps — claimed responsibility and provided screenshots to BleepingComputer showing access to employee data and an email server.
The Commission’s statement acknowledged the severity: “Early findings of our ongoing investigation suggest that data have been taken from those websites.” They’re now notifying EU entities that may have been affected.
Here’s the awkward part: Amazon says they didn’t experience a security event. “AWS did not experience a security event, and our services operated as designed,” the company stated. Translation: this wasn’t an AWS vulnerability. The Commission’s credentials or configurations were the problem.
How Big Tech Cloud Providers Shift the Blame
This response pattern is standard for cloud providers, and it reveals a fundamental tension in cloud computing.
When you store data on AWS, Azure, or Google Cloud, you’re responsible for access management, credential security, and proper configuration. The provider handles infrastructure security. So when a breach happens through compromised credentials or misconfigured storage buckets, the provider can accurately say their systems worked “as designed.”
The problem: most organizations don’t have the resources or expertise to secure cloud deployments at the level required. Default configurations are often dangerously permissive. Access controls are complex. And the shared responsibility model means the cloud provider walks away from any breach that doesn’t involve their code.
This isn’t hypothetical. Misconfigured AWS S3 buckets have exposed billions of records over the years. The 2019 Capital One breach affected 100 million customers through a misconfigured AWS WAF. And now the European Commission joins the list.
Why This Should Concern You
The European Commission isn’t some small business running outdated WordPress. This is the executive branch of the European Union — the body that drafts and enforces GDPR. They have resources. They have security teams. They presumably have access to expertise.
And they still got breached through their cloud provider relationship.
If the organization responsible for Europe’s privacy regulations can’t secure its AWS deployment, what does that say about the average business? Or the average government agency?
Security researcher Ilia Kolochenko warned that attacks like this are likely to intensify: “Politically motivated attacks will surge in 2026, potentially undermining confidence in European cybersecurity regulations and prompting organizations toward ‘EU-made’ cloud alternatives.”
The Data Sovereignty Question
This breach underscores a point we make frequently: where your data lives matters. Who controls the infrastructure matters. And relying on American hyperscalers means accepting their liability limitations and their security model.
The Commission’s own data — including employee information and databases — was stored on Amazon’s infrastructure, subject to Amazon’s policies and accessible through Amazon’s authentication systems. When that authentication failed, the data walked out the door.
Swiss and European alternatives exist specifically to address this. Data centers in jurisdictions with strong privacy laws. Providers who take end-to-end responsibility for security. Infrastructure that isn’t subject to the CLOUD Act or U.S. government data requests.
After GDPR. After all the talk about digital sovereignty. The European Commission still had sensitive data on AWS. And now that data is gone.
What We Know About the Stolen Data
The attacker claims to have exfiltrated 350GB of data including databases. Screenshots suggest access to employee personal information and email systems. The attacker explicitly stated they don’t intend extortion — they plan to leak everything publicly.
That’s actually worse for the victims. Ransomware at least creates an incentive to keep data private. A public leak means every piece of stolen information becomes permanently available to anyone who wants it.
The Commission hasn’t disclosed exactly what categories of data were exposed. Their investigation continues, and they’re notifying potentially affected EU entities.
What This Means for Your Data
The lesson here isn’t that AWS is inherently insecure. The lesson is that cloud security is hard, shared responsibility models create gaps, and even well-resourced organizations fail.
If you’re storing sensitive data with a major cloud provider, ask yourself:
- Who manages access credentials, and how are they protected?
- Are you using multi-factor authentication for all administrative access?
- Have you audited your configuration against security best practices?
- Do you have visibility into who accesses what data?
- What happens if those credentials are compromised?
For many organizations, the honest answer is: we don’t know. The cloud made storage easy and security someone else’s problem. Except it’s not someone else’s problem. It’s yours.
The European Commission is learning that lesson publicly. The rest of us should learn it privately, before we end up in the same headlines.