EU cloud breach hit 30 entities
What happened
CERT-EU says a hack of the European Commission’s cloud environment exposed data belonging to the Commission plus at least 29 other EU entities, and around 90GB of data was later published online. The incident highlights how shared cloud ecosystems can create spillover risk for connected organisations and third-party integrations. (bleepingcomputer.com) (techradar.com)
Why it matters
CERT-EU says investigators found that attackers first used a tampered copy of a widely used security tool to steal a secret that let them access the European Commission’s cloud account that hosts the europa.eu websites. (cert.europa.eu) The Commission’s security centre spotted unusual activity on 24 March, notified CERT-EU on 25 March, and issued a public notice on 27 March as the investigation continued. (ec.europa.eu) CERT-EU links the initial compromise to a “supply‑chain” attack on Trivy — an open‑source vulnerability scanner, meaning attackers altered a trusted piece of software that many organizations run automatically — and attributes that compromise to a threat group known as TeamPCP. (cert.europa.eu) (securityboulevard.com) The attackers obtained an Amazon Web Services secret (a software credential sometimes called an API key, which is a secret code programs use to access cloud accounts), used a secret‑searching tool called TruffleHog to find additional credentials, and called the cloud provider’s Security Token Service (a system that issues short‑lived access tokens) to move through the environment. (cert.europa.eu) (snyk.io) CERT-EU reports about 91.7 gigabytes of compressed data was taken, including names, email addresses and email content, while the extortion group that posted the files later claimed a larger haul and published an initial 90 GB archive before saying the total exceeded 300 GB; media outlets report both figures. (cert.europa.eu) (sosransomware.com) (bleepingcomputer.com) CERT-EU’s public advisory urges affected organisations to update Trivy to a known‑safe release, rotate all cloud and pipeline credentials, audit CI/CD workflows for compromised Trivy references, and pin any automated actions to immutable commit hashes rather than mutable tags. (csoonline.com)
Key numbers
- CERT-EU says a hack of the European Commission’s cloud environment exposed data belonging to the Commission plus at least 29 other EU entities, and around 90GB of data was later published online.
- (cert.europa.eu) The Commission’s security centre spotted unusual activity on 24 March, notified CERT-EU on 25 March, and issued a public notice on 27 March as the investigation continued.
Quick answers
What happened in EU cloud breach hit 30 entities?
CERT-EU says a hack of the European Commission’s cloud environment exposed data belonging to the Commission plus at least 29 other EU entities, and around 90GB of data was later published online. The incident highlights how shared cloud ecosystems can create spillover risk for connected organisations and third-party integrations. (bleepingcomputer.com) (techradar.com)
Why does EU cloud breach hit 30 entities matter?
CERT-EU says investigators found that attackers first used a tampered copy of a widely used security tool to steal a secret that let them access the European Commission’s cloud account that hosts the europa.eu websites. (cert.europa.eu) The Commission’s security centre spotted unusual activity on 24 March, notified CERT-EU on 25 March, and issued a public notice on 27 March as the investigation continued. (ec.europa.eu) CERT-EU links the initial compromise to a “supply‑chain” attack on Trivy — an open‑source vulnerability scanner, meaning attackers altered a trusted piece of software that many organizations run automatically — and attributes that compromise to a threat group known as TeamPCP. (cert.europa.eu) (securityboulevard.com) The attackers obtained an Amazon Web Services secret (a software credential sometimes called an API key, which is a secret code programs use to access cloud accounts), used a secret‑searching tool called TruffleHog to find additional credentials, and called the cloud provider’s Security Token Service (a system that issues short‑lived access tokens) to move through the environment. (cert.europa.eu) (snyk.io) CERT-EU reports about 91.7 gigabytes of compressed data was taken, including names, email addresses and email content, while the extortion group that posted the files later claimed a larger haul and published an initial 90 GB archive before saying the total exceeded 300 GB; media outlets report both figures. (cert.europa.eu) (sosransomware.com) (bleepingcomputer.com) CERT-EU’s public advisory urges affected organisations to update Trivy to a known‑safe release, rotate all cloud and pipeline credentials, audit CI/CD workflows for compromised Trivy references, and pin any automated actions to immutable commit hashes rather than mutable tags. (csoonline.com)
