EU Commission Hacked Via Amazon Cloud: 350GB Gone

Hackers stole 350GB of data from the European Commission's Amazon Web Services account on March 27, 2026 — the EU's second breach in two months. The stolen data includes databases and internal files from the body that governs 450 million people. The irony: the EU spent €180 million last year building a "cloud sovereignty" framework to stop exactly this from happening.

The European Commission announced on January 20 that it wants to overhaul its cybersecurity. Sixty-six days later, someone walked into its Amazon cloud account and took everything.

BleepingComputer broke the story after the attacker contacted them directly. They'd stolen over 350GB — multiple databases, Commission staff data, and access to an employee email server. Screenshots proved it. The attacker said they won't demand ransom. They'll just publish everything online later.

The Commission's spokesperson confirmed the breach, calling it a cyberattack on "cloud infrastructure hosting the Commission's web presence on the Europa.eu platform." AWS said its own services weren't breached — the Commission's account was compromised, not Amazon's infrastructure.

Here's the part that stings. In October 2025, the Commission launched a €180 million tender specifically for "cloud sovereignty." The whole point was reducing dependence on American tech companies for sensitive European data. The tender set minimum assurance levels for "strategic, legal, operational, and environmental considerations." It name-checked the US CLOUD Act as a threat.

Five months later, 350GB of Commission data sat on AWS servers. And someone took it.

Second Breach in Eight Weeks

This wasn't even the first hit. In February, the Commission disclosed that hackers compromised its Mobile Device Management platform — the system that manages every staff device. That breach, discovered January 30, was linked to attacks on the Dutch Data Protection Authority and Finland's Ministry of Finance through vulnerabilities in Ivanti Endpoint Manager software.

ENISA, the EU's own cybersecurity agency, flagged public administrations as the most frequently targeted organisations in its 2025 threat analysis. The Commission knew it was a prime target. It got hit anyway.

A CSIS report from earlier this month noted that Russian hackers targeted "Polish critical infrastructure, a Norwegian dam, Danish utilities, EU institutions" throughout 2025 and early 2026. The European Space Agency lost 500GB to a group called Scattered Lapsus Hunters in January. The ECB started running mock cyberattacks on 109 banks. Everyone could see what was coming.

The Sovereignty Gap

The EU talks about digital sovereignty more than any government on earth. It's passed the AI Act, the Digital Markets Act, the Data Act, GDPR. It wrote a Cloud Sovereignty Framework. Last week, it sanctioned Chinese and Iranian companies for cyberattacks on member states.

None of that stopped someone from downloading 350GB of its own data from an American company's servers.

US tech outlets covered it as a cloud security story — which vendor, which vulnerability. European outlets that picked it up framed it as an institutional sovereignty failure. Most of the world didn't cover it at all.

The person who did it isn't asking for money. They're going to dump it all online for free. That's not ransomware. That's a message.

The EU is building the rules for a digital future while its present sits on someone else's servers — and apparently, anyone can take a copy.