European Commission admits attackers broke into public web systems, but says little else
(2026/03/30)
- Reference: 1774865713
- News link: https://www.theregister.co.uk/2026/03/30/european_commission_breach/
- Source link:
The European Commission has admitted that attackers broke into its public-facing web infrastructure and siphoned off data in a [1]bare-bones disclosure that answers the what but ducks most of the how.
The intrusion was spotted on March 24 and hit cloud systems hosting the Commission's Europa websites, the front door for everything from policy pages to public information. Officials say they contained the incident quickly and that the sites stayed online, so there was no obvious outage while someone was poking around the back end.
What that someone actually got is another matter. The Commission says data may have been exfiltrated, but leaves it there. There are no details about what kind of data was taken, how much, or who might be affected. There's also no word on initial access, how long the attackers had access, or who might be responsible.
[2]
"Early findings of our ongoing investigation suggest that data have been taken from those websites," the EC said. "The Commission is duly notifying the Union entities who might have been affected by the incident. The Commission's services are still investigating the full impact of the incident."
[3]
[4]
For an institution that often emphasizes breach transparency, it's a pretty thin statement. The European Commission did not respond to The Register's questions.
[5]EU broadcasters say smart TVs and voice assistants are the next gatekeepers
[6]'Death sentence': EU cloud lobby takes Broadcom to Brussels over VMware partner purge
[7]Europe's cloud minnows tell Brussels to stop big tech 'sovereignty-washing'
[8]Brussels urged to pay 'sovereignty premium' to narrow China battery gap
While the EC isn't saying much, [9]reports claim a threat actor may have gained access to the Commission's AWS cloud environment and exfiltrated more than 350 GB of data
One line the Commission is keen to stress is that internal systems were not affected, at least based on what it knows so far. If that assessment holds, it suggests reasonable separation between public web services and the core network, limiting how far an attacker could go once inside.
Even so, this is the Commission's second security headache in quick succession. Just last month, Brussels admitted that [10]Commission-issued mobile phones had been compromised , an intrusion that "may have resulted in access to staff names and mobile numbers of some of its staff members."
[11]
The EC's barely there statement leans on the usual line about Europe facing constant cyber pressure, with references to NIS2 and other initiatives. That may be true, but it doesn't explain how this one happened – or why there's so little detail about it. ®
Get our [12]Tech Resources
[1] https://ec.europa.eu/commission/presscorner/detail/en/ip_26_748
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2acqeKYhGLTLcmVa5b1-Q6gAAAFA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44acqeKYhGLTLcmVa5b1-Q6gAAAFA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33acqeKYhGLTLcmVa5b1-Q6gAAAFA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2026/03/24/smart_tvs_gatekeepers_eu/
[6] https://www.theregister.com/2026/03/19/cispe_eu_complaint_vmware_vcsp_closure/
[7] https://www.theregister.com/2026/03/18/cispe_sovereignty_washing/
[8] https://www.theregister.com/2026/03/03/eu_battery_production_costs/
[9] https://www.bleepingcomputer.com/news/security/european-commission-investigating-breach-after-amazon-cloud-account-hack/
[10] https://www.theregister.com/2026/02/09/european_commission_phone_breach/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44acqeKYhGLTLcmVa5b1-Q6gAAAFA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
The intrusion was spotted on March 24 and hit cloud systems hosting the Commission's Europa websites, the front door for everything from policy pages to public information. Officials say they contained the incident quickly and that the sites stayed online, so there was no obvious outage while someone was poking around the back end.
What that someone actually got is another matter. The Commission says data may have been exfiltrated, but leaves it there. There are no details about what kind of data was taken, how much, or who might be affected. There's also no word on initial access, how long the attackers had access, or who might be responsible.
[2]
"Early findings of our ongoing investigation suggest that data have been taken from those websites," the EC said. "The Commission is duly notifying the Union entities who might have been affected by the incident. The Commission's services are still investigating the full impact of the incident."
[3]
[4]
For an institution that often emphasizes breach transparency, it's a pretty thin statement. The European Commission did not respond to The Register's questions.
[5]EU broadcasters say smart TVs and voice assistants are the next gatekeepers
[6]'Death sentence': EU cloud lobby takes Broadcom to Brussels over VMware partner purge
[7]Europe's cloud minnows tell Brussels to stop big tech 'sovereignty-washing'
[8]Brussels urged to pay 'sovereignty premium' to narrow China battery gap
While the EC isn't saying much, [9]reports claim a threat actor may have gained access to the Commission's AWS cloud environment and exfiltrated more than 350 GB of data
One line the Commission is keen to stress is that internal systems were not affected, at least based on what it knows so far. If that assessment holds, it suggests reasonable separation between public web services and the core network, limiting how far an attacker could go once inside.
Even so, this is the Commission's second security headache in quick succession. Just last month, Brussels admitted that [10]Commission-issued mobile phones had been compromised , an intrusion that "may have resulted in access to staff names and mobile numbers of some of its staff members."
[11]
The EC's barely there statement leans on the usual line about Europe facing constant cyber pressure, with references to NIS2 and other initiatives. That may be true, but it doesn't explain how this one happened – or why there's so little detail about it. ®
Get our [12]Tech Resources
[1] https://ec.europa.eu/commission/presscorner/detail/en/ip_26_748
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2acqeKYhGLTLcmVa5b1-Q6gAAAFA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44acqeKYhGLTLcmVa5b1-Q6gAAAFA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33acqeKYhGLTLcmVa5b1-Q6gAAAFA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2026/03/24/smart_tvs_gatekeepers_eu/
[6] https://www.theregister.com/2026/03/19/cispe_eu_complaint_vmware_vcsp_closure/
[7] https://www.theregister.com/2026/03/18/cispe_sovereignty_washing/
[8] https://www.theregister.com/2026/03/03/eu_battery_production_costs/
[9] https://www.bleepingcomputer.com/news/security/european-commission-investigating-breach-after-amazon-cloud-account-hack/
[10] https://www.theregister.com/2026/02/09/european_commission_phone_breach/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44acqeKYhGLTLcmVa5b1-Q6gAAAFA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
Out Of Whack.....You Think?
Anonymous Coward
Quote: ".....exfiltrated more than 350 GB of data..."
So.....suppose the bad actor got, say, continuous 100 megabit per second access.
That's about eight hours of continuous slurping!
Yes.....I know that networks are VERY busy. But a bad actor active for eight hours....and no one noticed?
Yup.....priorities a bit out of whack:
- P1....Think of the children
- P2....Basic security scanning
Sigh!
Re: Out Of Whack.....You Think?
Charlie Clark
That's from an unconfirmed report so you might want to hold your horses.
All the EC websites I've ever come across are boring and largely frontends for heaps of PDFs, which is the format that bureaucracies seem to love for fulfilling the letter of the law about openness. The EC produces oodles of documents in about 20 different languages. That quickly adds up to a lot of training data for the Humphey™ chatbot.
GDPR and NIS2
GDPR and NIS2 for you, but not for me. As usual.