Cyber-crime European Commission admits attackers broke into public web systems, but says little else Brussels notifying 'Union entities' whose data may've been snatched in websites breach Carly Page Mon 30 Mar 2026 // 10:15 UTC The European Commission has admitted that attackers broke into its public-facing web infrastructure and siphoned off data in a bare-bones disclosure that answers the what but ducks most of the how. The intrusion was spotted on March 24 and hit cloud systems hosting the Commission's Europa websites, the front door for everything from policy pages to public information. Officials say they contained the incident quickly and that the sites stayed online, so there was no obvious outage while someone was poking around the back end. What that someone actually got is another matter. The Commission says data may have been exfiltrated, but leaves it there. There are no details about what kind of data was taken, how much, or who might be affected. There's also no word on initial access, how long the attackers had access, or who might be responsible. "Early findings of our ongoing investigation suggest that data have been taken from those websites," the EC said. "The Commission is duly notifying the Union entities who might have been affected by the incident. The Commission's services are still investigating the full impact of the incident." For an institution that often emphasizes breach transparency, it's a pretty thin statement. The European Commission did not respond to The Register's questions. EU broadcasters say smart TVs and voice assistants are the next gatekeepers 'Death sentence': EU cloud lobby takes Broadcom to Brussels over VMware partner purge Europe's cloud minnows tell Brussels to stop big tech 'sovereignty-washing' Brussels urged to pay 'sovereignty premium' to narrow China battery gap While the EC isn't saying much, reports claim a threat actor may have gained access to the Commission's AWS cloud environment and exfiltrated more than 350 GB of data One line the Commission is keen to stress is that internal systems were not affected, at least based on what it knows so far. If that assessment holds, it suggests reasonable separation between public web services and the core network, limiting how far an attacker could go once inside. Even so, this is the Commission's second security headache in quick succession. Just last month, Brussels admitted that Commission-issued mobile phones had been compromised , an intrusion that "may have resulted in access to staff names and mobile numbers of some of its staff members." The EC's barely there statement leans on the usual line about Europe facing constant cyber pressure, with references to NIS2 and other initiatives. That may be true, but it doesn't explain how this one happened – or why there's so little detail about it. ® Share More about Cybercrime Data Breach European Commission More like these × More about Cybercrime Data Breach European Commission European Union Security Narrower topics 2FA Advanced persistent threat Application Delivery Controller Austria Authentication BEC Belgium Black Hat Brexit BSides Bug Bounty Bulgaria Center for Internet Security CHERI CISO Common Vulnerability Scoring System Croatia Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Cyprus Czech Republic Data Protection Data Theft DDoS DEF CON Denmark Digital certificate Encryption End Point Protection Estonia Exploit Finland Firewall France GDPR Germany Google Project Zero Greece Hacker Hacking Hacktivism Hungary Identity Theft Incident response Infosec Infrastructure Security Ireland Italy Kenna Security Latvia Lithuania Luxembourg Malta NCSAM NCSC Netherlands Palo Alto Networks Password Personally Identifiable Information Phishing Poland Portugal Quantum key distribution Ransomware Remote Access Trojan REvil Romania RSA Conference Slovakia Slovenia Software Bill of Materials Spain Spamming Spyware Surveillance Sweden TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust More about Share POST A COMMENT More about Cybercrime Data Breach European Commission More like these × More about Cybercrime Data Breach European Commission European Union Security Narrower topics 2FA Advanced persistent threat Application Delivery Controller Austria Authentication BEC Belgium Black Hat Brexit BSides Bug Bounty Bulgaria Center for Internet Security CHERI CISO Common Vulnerability Scoring System Croatia Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Cyprus Czech Republic Data Protection Data Theft DDoS DEF CON Denmark Digital certificate Encryption End Point Protection Estonia Exploit Finland Firewall France GDPR Germany Google Project Zero Greece Hacker Hacking Hacktivism Hungary Identity Theft Incident response Infosec Infrastructure Security Ireland Italy Kenna Security Latvia Lithuania Luxembourg Malta NCSAM NCSC Netherlands Palo Alto Networks Password Personally Identifiable Information Phishing Poland Portugal Quantum key distribution Ransomware Remote Access Trojan REvil Romania RSA Conference Slovakia Slovenia Software Bill of Materials Spain Spamming Spyware Surveillance Sweden TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust TIP US OFF Send us news