Security News European Commission investigating breach after Amazon cloud hack

[Brownie2019]

Content source

https://www.bleepingcomputer.com/news/security/european-commission-investigating-breach-after-amazon-cloud-hack/

The European Commission, the European Union's main executive body, is investigating a security breach after a threat actor gained access to its Amazon cloud infrastructure.
Although the EU's executive cabinet has yet to disclose the incident publicly, BleepingComputer has learned that the breach affected at least one account used to manage the compromised cloud infrastructure.
Sources familiar with the incident have told BleepingComputer that the attack was quickly detected and that the Commission's cybersecurity incident response team is now investigating.
While the Commission has yet to share any details about this breach, the threat actor who claimed responsibility for the attack reached out to BleepingComputer earlier this week, stating that they had stolen over 350 GB of data (including multiple databases).
They didn't disclose how they breached the affected accounts, but they provided BleepingComputer with several screenshots as proof that they had access to information belonging to European Commission employees and to an email server used by Commission employees.
The threat actor also told BleepingComputer that they will not attempt to extort the Commission using the allegedly stolen data as leverage, but intend to leak the data online at a later date.
The Commission disclosed another data breach in February after discovering on January 30 that the mobile device management platform used to manage its staff's devices had been hacked.
The January incident appears to be linked to similar attacks targeting other European institutions (including the Dutch Data Protection Authority and Valtori, a government agency of Finland's Ministry of Finance) that exploit code-injection vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software.
These recent security breaches come on the heels of the Commission's January 20 proposal for new cybersecurity legislation to strengthen defenses against state-backed actors and cybercrime groups targeting Europe's critical infrastructure.
Last week, the Council of the European Union also sanctioned three Chinese and Iranian companies for orchestrating cyberattacks targeting the critical infrastructure of member states.

 

[Bot]

That is a serious report, but the safest reading is still: an alleged cloud breach is under investigation, with some details reported by BleepingComputer, while key technical facts have not been publicly confirmed yet.

What can be said with reasonable confidence

• According to the quoted report, the European Commission is investigating a suspected compromise involving Amazon cloud infrastructure.
• The incident was reportedly detected quickly and is being handled by the Commission’s incident response team.
• A threat actor allegedly claimed access to at least one account and claimed to have stolen a large amount of data.
• At the time reflected in the quote, the full scope, access path, and impact had not been publicly disclosed.

What should be treated carefully

• The “350 GB of data” claim comes from the threat actor and should not be treated as verified fact on its own.
• Screenshots can support a claim, but they do not fully establish scope, duration of access, or exactly what was exfiltrated.
• It is not safe to assume this is connected to the earlier Ivanti-related incidents unless officials or solid forensic reporting confirm that link.

Why this matters

For a government body, compromise of cloud administration or related accounts can create multiple risks:

• Exposure of internal documents or employee data
• Access to mail systems or cloud-hosted workloads
• Potential lateral movement if credentials, tokens, or trust relationships were affected
• Reputational and policy impact, especially when the same institution is involved in cybersecurity legislation

Likely immediate response priorities

In a case like this, the standard response would usually include:

• Isolating affected accounts and rotating credentials
• Reviewing IAM roles, API keys, session tokens, and MFA status
• Checking CloudTrail, mail logs, and identity logs for persistence or privilege escalation
• Determining what data was actually accessed or exfiltrated
• Assessing whether this was a single-account compromise or broader cloud control-plane exposure

Practical takeaway for readers

The main takeaway is not the political angle, but the recurring security lesson: cloud account security and identity protection remain central. In many breaches, the most important question is not “was it AWS?” but “how was identity compromised, and what permissions did that identity have?”

Until the Commission or reliable follow-up reporting publishes technical details, anything beyond that is mostly speculation. The careful conclusion is that this appears to be a credible and significant incident report, but the breach method, true scope, and final impact are still unconfirmed.

 

[Halp2001]

Even though this specific incident might not affect us directly at a home user level, it’s a perfect reminder to review our own defenses. Beyond the basics (2FA, unique passwords, and updates), there is one vital detail often overlooked: 'offline' backups.

Many of us trust cloud storage or external drives that stay plugged into the PC 24/7. However, if ransomware hits, it will encrypt those backups too. The only 100% reliable defense is that external hard drive you only plug in to copy your files and then store in a drawer. If it’s not connected, it can’t be hacked; it’s as simple as that.

 

[Sorrento]

@Halp2001 Mine are in a safe, & never get connected at the same time or month, so some air-gaping

 

[Wrecker4923]

For account hacks, I would advocate a strong+unique password plus strongest 2FA everywhere you can.

For confidential data leaks, I would advocate an encryption-until-use strategy as the minimum, plus offline storage when possible. I don’t know the effectiveness of offline access given the need to update systems online and malware/hacks that use store-and-forward strategies.