European Commission Cloud Breach Exposes Data of 30 EU Entities via Stolen AWS API Key
What Happened — The European Commission’s Amazon Web Services (AWS) cloud environment hosting the europa.eu websites was compromised. Threat actors obtained a stolen AWS API key through the Trivy supply‑chain compromise, accessed the account, and exfiltrated hundreds of gigabytes of data belonging to at least 30 EU entities.
Why It Matters for TPRM —
- A breach of a public‑sector cloud tenant demonstrates the risk of third‑party cloud service mis‑configurations and credential theft.
- Exposure of data from multiple EU agencies can cascade to downstream vendors and partners that process or store that information.
- The incident underscores the need for continuous monitoring of cloud‑provider access controls and supply‑chain security.
Who Is Affected — Government & public‑sector organizations, EU institutions, and any third‑party vendors that handle data for the affected entities.
Recommended Actions —
- Review all contracts and security clauses with cloud‑hosting providers, especially AWS.
- Verify that your organization enforces strict API‑key rotation, least‑privilege access, and secret‑scanning in CI/CD pipelines.
- Conduct a supply‑chain risk assessment for tools (e.g., Trivy) that could introduce credential exposure.
Technical Notes — The attacker leveraged a stolen AWS secret key obtained via the Trivy supply‑chain compromise on March 19, then used the key to enumerate and download data from the Commission’s AWS accounts. No vulnerability in the Commission’s own code was disclosed; the vector was credential theft and cloud‑account abuse. Source: Security Affairs