HomeIntelligenceBrief
🔓 BREACH BRIEF🔴 Critical🔓 Breach

TeamPCP Hijacks European Commission AWS Cloud, Exposing Data of 71 EU Entities

TeamPCP used a stolen AWS API key—originally taken in the Trivy supply‑chain attack—to breach the European Commission’s cloud environment, exfiltrating tens of thousands of files containing personal data. The 90 GB dataset was later posted on the dark web, affecting 42 internal Commission clients and at least 29 other Union entities.

🛡️ LiveThreat™ Intelligence · 📅 April 03, 2026· 📰 bleepingcomputer.com
🔴
Severity
Critical
🔓
Type
Breach
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

TeamPCP Hijacks European Commission AWS Cloud, Exposing Data of 71 EU Entities

What Happened – The European Commission’s AWS‑hosted cloud environment was breached on 10 March 2026 after a TeamPCP‑operated threat actor used a stolen AWS API key (originally taken in the Trivy supply‑chain compromise). The attackers leveraged the key to create additional access credentials, scan for secrets with TruffleHog, and exfiltrate tens of thousands of files containing personal data, usernames and email content. The stolen dataset (≈90 GB) was later posted on the dark‑web by the ShinyHunters extortion group.

Why It Matters for TPRM

  • A supply‑chain compromise of a third‑party code‑analysis tool (Trivy) enabled credential theft from a critical EU cloud service.
  • The breach affected 42 internal Commission clients and at least 29 other Union entities (71 total), highlighting the systemic risk of shared cloud infrastructure.
  • Sensitive personal information was publicly released, creating compliance, reputational and downstream breach‑notification obligations for any downstream vendors.

Who Is Affected – Government & public‑sector bodies (European Commission, EU agencies), cloud‑hosting providers (AWS), and any downstream service providers that rely on the compromised EU web‑hosting platform.

Recommended Actions

  • Review all third‑party cloud contracts for mandatory API‑key rotation, least‑privilege access, and continuous monitoring clauses.
  • Verify that your organization’s cloud credentials are stored in hardened secret‑management solutions and are not exposed via supply‑chain components.
  • Conduct an immediate audit of any AWS accounts or services that share credentials with EU entities; enforce MFA and rotate all privileged keys.
  • Update incident‑response playbooks to include detection of anomalous API activity and credential misuse.

Technical Notes – The attackers exploited a stolen AWS access key (management rights) obtained through the Trivy supply‑chain attack, then used TruffleHog to locate additional secrets and attached a new access key to an existing user to evade detection. Data exfiltrated included names, email addresses, usernames and email content (≈340 GB uncompressed). Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/cert-eu-european-commission-hack-exposes-data-of-30-eu-entities/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →