The European Union’s cybersecurity agency, CERT-EU, has confirmed that a recent major data breach affecting the European Commission was the result of a coordinated effort by two distinct hacking groups: TeamPCP and ShinyHunters. The incident compromised approximately 92 gigabytes of compressed data, including personal information such as names, email addresses, and the contents of emails.
Breach Details and Scope
The attack originated on March 19th, when hackers obtained a secret API key linked to the Commission’s Amazon Web Services (AWS) account. This access was gained through a compromised version of the open-source security tool Trivy, which the Commission unknowingly downloaded after a prior breach. The stolen data affected not only the Commission but potentially at least 29 other EU entities relying on the Commission’s cloud infrastructure for their websites and publications.
ShinyHunters later claimed responsibility for publishing the leaked data online. According to a member of the group, they acquired some of the stolen files from TeamPCP after earlier attacks, and then disseminated them publicly.
Why This Matters: The Rise of Supply Chain Attacks
This incident is notable because it highlights an increasing trend in cybercrime: supply chain attacks. By compromising tools like Trivy, hackers gain access to multiple organizations that rely on the same software. This strategy maximizes impact with minimal effort. As Palo Alto Networks Unit 42 explains, targeting developers with access to sensitive systems allows hackers to extort organizations for ransom payments.
The fact that two separate groups were involved also suggests a potential collaboration or opportunistic exploitation of the same vulnerability. CERT-EU is contacting affected organizations to mitigate further damage. The Commission spokesperson declined immediate comment, stating they would respond next week.
Data Exposure Risks
Analysis of the leaked files reveals that approximately 52,000 files contain email messages. While many of these are automated with little content, emails that bounced back due to errors may expose original user-submitted data, creating a risk of personal information being compromised.
This breach underscores the vulnerability of even high-profile institutions to common attack vectors like supply chain compromises and stolen API keys. The incident serves as a stark reminder for organizations to prioritize software security updates, robust access controls, and vigilant monitoring of their cloud infrastructure.
