Europe’s Cyber Agency Pins Massive Data Breach on Hacking Groups TeamPCP and ShinyHunters

Hackers stole nearly 100 gigabytes of sensitive data from the European Commission’s cloud platform, exposing personal information and internal communications. T

Hackers stole nearly 100 gigabytes of sensitive data from the European Commission’s cloud platform, exposing personal information and internal communications. Two well-known hacking groups are behind the breach, which has caused concern throughout the EU.

How the Breach Happened

The European Union’s main cybersecurity unit, CERT-EU, revealed the breach began when hackers exploited a secret API key tied to the Commission’s Amazon Web Services (AWS) account. That key was compromised after the Commission accidentally downloaded a hacked version of an open source security tool called Trivy. The attackers used that access to infiltrate the cloud infrastructure running Europa.eu, the platform hosting multiple EU institutions’ websites and publications.

The breach started around March 19, with CERT-EU’s investigation uncovering the theft of roughly 92 gigabytes of compressed data. That haul includes names, email addresses, and email content—though many of those emails appear to be automated messages. Still, emails that bounced back with errors could contain sensitive user-submitted content, making the data leak especially worrying.

Interestingly, two different hacking groups seem to be involved. CERT-EU blames TeamPCP for the initial breach, but another infamous gang, ShinyHunters, is believed to have leaked the stolen data online.

Members of ShinyHunters told TechCrunch they merely published data they obtained from TeamPCP’s earlier attacks. It’s rare for two separate groups to be connected to the same incident like this.

TeamPCP has a shady history tied to ransomware attacks and crypto-mining schemes. Security firm Aqua Security says the group has recently focused on supply chain attacks that compromise open source security projects, making this breach part of a larger, disturbing trend.

Scope and Impact

The breach didn’t just hit the European Commission. CERT-EU warns that at least 29 other EU entities might have had data stolen too, along with dozens of internal Commission clients.

That means the fallout could spread across multiple government bodies and agencies.

ShinyHunters claims on social media to have posted over 350 gigabytes of data linked to the Commission, including emails, confidential documents, contracts, and employee personal information. Screenshots shared online show what looks like internal admin URLs, user directories, and credentials from platforms like NextCloud and Athena, a financing tool used by the military.

Security experts say the breach might cause identity theft, disrupt operations, and lead to spear-phishing attacks against EU officials. Nick Tausek, a security architect at Swimlane, said the data exposed could open the door to secondary attacks aimed at compromising more accounts or disrupting services.

Responses and Ongoing Investigations

The European Commission first detected the intrusion on March 24 and quickly moved to contain it. Officials say the breach didn’t affect their internal systems and that Europa.eu websites remained available throughout. They’re still analyzing the full impact and notifying affected organizations.

Though AWS confirmed its cloud services weren’t directly compromised, the attackers leveraged the stolen API key to access Commission data hosted on AWS. That distinction highlights the risks of credential theft and supply chain vulnerabilities over direct cloud provider breaches.

Meanwhile, CERT-EU is in contact with affected entities across the EU and continues to examine the data leaked online. The Commission’s spokesperson said they will issue comments once their offices reopen after a brief closure.

The Bigger Picture

ShinyHunters is no stranger to high-profile data breaches. Last year, the group hit tech giants like Google and luxury brands such as Chanel, stealing sensitive Single Sign-On (SSO) credentials and customer data from platforms like Salesforce. Their tactics include vishing—voice phishing—where attackers impersonate IT helpdesks to trick victims into handing over credentials.

TeamPCP’s focus on supply chain attacks is a worrying trend in cybersecurity. By targeting open source projects used by thousands of organizations, they can infiltrate multiple victims with a single breach. The Trivy incident clearly shows how a single weak spot in the software supply chain can lead to a big data breach.

European governments have faced a steady stream of cyberattacks recently, with zero-day exploits targeting software vendors and government networks. The latest breach adds to concerns about the bloc’s cybersecurity readiness as geopolitical tensions rise worldwide.

Experts argue the EU needs to boost its defenses, get better at responding to incidents, and train staff about phishing and supply chain threats. This fallout here could push policymakers to push faster on cybersecurity reforms and tighter cloud security standards.

This breach highlights how cybercriminals take advantage of all kinds of weaknesses, from open source tools to stolen credentials, to attack government targets. With multiple hacking groups tangled in this incident, the fallout is far from over.