European Commission investigates major cloud data breach as identity security concerns take center stage

Two cyberattacks on the European Commission in the space of two months. At some point that stops looking like coincidence and starts looking like a pattern worth taking seriously.

The Commission confirmed an attack on its Europa.eu platform this week, though its initial statement offered little beyond the acknowledgment that something had happened. Bleeping Computer filled in some of the gaps, reporting that the incident involved compromised accounts on Amazon Web Services.

An unnamed person claiming responsibility spoke to the publication directly, saying they had taken more than 350GB of Commission data and showing the reporter screenshots to back that up. They also said they planned to release it rather than demand money, which tells you something about what they were actually after.

Amazon’s response drew a clear line around its own infrastructure, stating that its services functioned as intended and that no security event occurred on its end. The Commission said its teams moved quickly to contain the situation and apply protective measures, though the investigation continues and the full scope remains unclear.

January’s incident targeted the Commission’s mobile device management systems, where investigators found traces of a breach that may have exposed staff names and phone numbers. Two incidents that close together, affecting different parts of the same organization, make the isolated incident explanation increasingly difficult to sustain.

People who work in cloud security professionally have pointed toward identity access management as the probable weak point, even without confirmed technical details from the Commission itself. Kellman Meghu, CTO of DeepCove Cybersecurity, described IAM as one of the areas that keeps security practitioners up at night regardless of which cloud environment they work in. His organization requires multiple people to authenticate before admin accounts activate, keeps organizational accounts isolated by function, and avoids IAM-generated keys in routine operations entirely. Those choices reflect hard lessons about where this category of attack tends to find its opening.

Ilia Kolochenko of ImmuniWeb argued that 2026 will bring more of this, not less. Politically motivated attackers, whether hacktivists or groups working on behalf of a state, do not weigh costs the way financially motivated ones do. They persist. He also noted that some European organizations will point to this incident as a reason to keep sensitive data within European-operated infrastructure, even though geography has never been a substitute for the kind of access controls that actually stop breaches from happening.