EU Commission AWS Account Compromised by TeamPCP, 92 GB of Sensitive Data Exfiltrated
What Happened — CERT‑EU confirmed that the hacking group TeamPCP accessed the European Commission’s Amazon Web Services (AWS) account using a stolen API key, downloading roughly 92 GB of compressed files that contain names, email addresses and outbound email content. The breach was first detected on 24 March after alerts of abnormal network traffic and potential API misuse.
Why It Matters for TPRM —
- Highlights the critical risk of supply‑chain‑compromised tooling (Trivy) that can expose privileged cloud credentials.
- Demonstrates how a single API key can give attackers lateral movement across a public‑sector cloud estate.
- Personal data of EU officials and agencies was exfiltrated, creating regulatory, privacy and reputational exposure for any downstream vendors.
Who Is Affected — Government & public‑sector bodies (European Commission, EU member‑state entities, internal client agencies).
Recommended Actions — Review cloud‑service contracts for API‑key management clauses, enforce least‑privilege IAM policies, conduct a supply‑chain software‑bill‑of‑materials audit, and implement continuous cloud‑traffic anomaly detection.
Technical Notes — Attack vector leveraged a compromised version of the open‑source container scanner Trivy, enabling the theft of a secret AWS API key (third‑party dependency compromise). Exfiltrated data included ~52 000 email‑related files (≈2.2 GB) and additional confidential documents. Source: The Record