Back to Knowledge Vault

European Commission Breach: 350GB from Cloud

The European Commission is investigating the theft of over 350GB of data from its Europa.eu cloud infrastructure hosted on AWS. The attacker plans to leak the data publicly rather than extort the institution, highlighting why sovereign data must be physically disconnected from cloud platforms.

Originally reported by Howard Solomon, CSO Online, 27 March 2026

What Happened

The European Commission has confirmed a cyber attack on its Europa.eu platform, with an unnamed threat actor claiming to have stolen over 350 gigabytes of data from the institution's cloud infrastructure hosted on Amazon Web Services (AWS).

The attack, which came to light on Thursday 27 March 2026, involved the compromise of one or more AWS accounts. The threat actor provided screenshots as evidence to security news site Bleeping Computer and stated they intend to leak the data publicly rather than attempt to extort the Commission.

Amazon responded by stating that "AWS did not experience a security event, and our services operated as designed," placing responsibility on the Commission's own account security and access controls.

The Commission said its Europa websites remain available and that its "swift response ensured the incident was contained and risk mitigation measures were implemented to protect services and data." It added that its internal IT systems were not affected by the attack.

This is not an isolated incident. In January 2026, the Commission revealed that its central mobile device management infrastructure had "identified traces of a cyber attack" which may have exposed the names and mobile numbers of some staff members.

What Data Was Exposed

The full scope of the compromised data remains unclear. The threat actor claims to have exfiltrated over 350GB from the Commission's cloud infrastructure, though the specific types of data, whether personal records, policy documents, diplomatic communications, or internal correspondence, have not been confirmed.

What is known is that the data resided on cloud infrastructure managed through AWS accounts, meaning it was accessible via standard cloud authentication and access control mechanisms. The Commission has not yet provided a detailed breakdown of the affected data sets.

The IAM Challenge

The breach has reignited debate about the inherent complexity of identity and access management (IAM) in cloud environments. Security experts point to the difficulty of guaranteeing that only authorised individuals have legitimate access to sensitive infrastructure.

Kellman Meghu, Chief Technology Officer of Canadian incident response firm DeepCove Cybersecurity, highlighted the risks: "This is why I force all my users to use AWS Identity Center sign on. No IAM-generated keys, and admin accounts are only activated through a 'break glass' strategy, where two people are needed to authenticate."

Meghu described storing root and admin account credentials outside of AWS entirely, on a system requiring dual authorisation from both the CEO and CTO via credentials and hardware tokens. Any unauthorised access attempt generates an immediate alert.

"I personally live in constant fear of this sort of thing happening," he said. "I create multiple separate AWS accounts using the AWS Organizations feature so accounts are completely isolated from each other. The reality is, identity access management is hard, and not just in AWS. It is the same challenge with all infrastructure. How do we guarantee the authorised person has legitimate access? It only takes one mistake."

Ilia Kolochenko, CEO of Swiss-based ImmuniWeb, warned that the attackers' intention to release data rather than seek payment points to political motivation. "The attackers behind are either hacktivists or cyber mercenaries hired by a nation state. In view of the geopolitical turbulence around the globe, such attacks will probably surge in 2026."

Why This Matters

Kolochenko described the incident as "a grim warning that the European regulation of cybersecurity, that some experts perceive as excessive and unnecessarily complicated, is not a panacea against data breaches."

The breach raises several critical questions for any organisation storing sensitive data in cloud infrastructure:

• Cloud concentration risk: When an entire platform depends on a single cloud provider's access controls, a single compromised account can expose everything.
• Political motivation: Attackers who do not seek financial gain are harder to deter and may invest significant resources in persistent, sophisticated campaigns.
• Regulatory limitations: Despite the EU's extensive data protection framework, including GDPR, NIS2, and DORA, regulation alone cannot prevent breaches when the underlying infrastructure remains network-connected and accessible via identity credentials.
• Digital sovereignty: Kolochenko noted that some European organisations may use this incident to promote "EU-made" cloud solutions, though he cautioned that changing cloud providers alone "will quite unlikely make any material change of cloud security landscape."

The Solicitors Regulation Authority has separately warned of a rise in cyber attacks across the professional services sector, with three-quarters of firms visited in a recent investigation having been targeted.

The Offline Alternative

The European Commission breach illustrates a fundamental limitation of cloud-dependent data storage: no matter how sophisticated the access controls, data that remains network-connected is data that can be reached by an attacker who compromises the right credentials.

As Meghu himself acknowledged, "It only takes one mistake." The break-glass strategies, multi-account isolation, and hardware token requirements he described are all valuable layers of defence, but they are all ultimately identity-based controls protecting network-accessible data.

Physical air gap storage removes this attack surface entirely. By physically disconnecting storage from all networks, Firevault's Vaulted, Protected, Preserved, and Private (VPPP) framework ensures that sovereign data, whether belonging to governmental institutions, law firms, or enterprises, cannot be exfiltrated remotely, regardless of how many credentials an attacker compromises.

Had the Commission's most sensitive data been stored in a physically disconnected vault, the 350GB exfiltration simply could not have occurred. No network connection means no remote access, no lateral movement, and no bulk data theft.

Key Takeaways

• Cloud IAM is inherently fragile: Even with best-practice controls like hardware tokens, break-glass procedures, and account isolation, identity-based access remains vulnerable to a single compromised credential.
• Political attackers are harder to deter: When the goal is reputational damage rather than financial gain, traditional deterrents like encryption and ransom negotiation become irrelevant.
• Regulation is not prevention: The EU has some of the world's most comprehensive data protection regulations, yet the Commission itself has suffered multiple breaches in 2026 alone.
• Physical disconnection is the only guarantee: Air-gapped storage eliminates the possibility of remote exfiltration, making it the only approach that can truly protect sovereign and sensitive data from network-based attacks.
• Cloud provider responsibility has limits: Amazon's statement that "AWS did not experience a security event" underscores that cloud providers are not responsible for how customers configure and secure their own accounts.

Share this article