The European Commission Got Breached Via Amazon Cloud Infrastructure
The European Commission, the executive body responsible for running the European Union, is investigating a security breach after a threat actor gained unauthorised access to its Amazon Web Services cloud infrastructure. The incident, reported by BleepingComputer, puts one of the world's most scrutinised public institutions in an uncomfortable position: explaining how attackers got in, what they accessed, and whether any sensitive data left the building. Details remain limited at the time of writing, which is itself telling. When organisations cannot quickly characterise the scope of a breach, it typically means forensic work is still in progress — and that the incident was not caught in real time. That gap between compromise and discovery is where the real damage happens. This is not a story about Amazon Web Services being insecure. AWS provides the infrastructure. What happens on top of it — the configuration, the access controls, the monitoring — is the customer's responsibility. That shared responsibility model is one of the most consistently misunderstood aspects of cloud security, and this breach is a textbook illustration of why.
Why Is the Cloud Shared Responsibility Model So Frequently Misunderstood?
The shared responsibility model divides security obligations between the cloud provider and the customer. AWS secures the physical infrastructure, the hypervisor, and the underlying network. The customer is responsible for everything else: identity and access management, data classification, encryption configuration, network segmentation, and monitoring. In practice, many organisations assume the cloud provider handles more than it does. This assumption is especially dangerous in large, complex environments where multiple teams manage different workloads and no single person has a complete picture of what is exposed. According to the 2024 Verizon Data Breach Investigations Report, misconfiguration and misuse account for a significant proportion of cloud-related incidents. The pattern is consistent year on year: not sophisticated zero-days, but basic configuration errors and excessive permissions that attackers find and exploit. For the European Commission, the specific attack vector has not been publicly confirmed. However, the most common entry points into cloud environments follow a familiar pattern: compromised credentials, over-privileged service accounts, exposed storage buckets, or vulnerabilities in internet-facing applications running on cloud infrastructure. Any one of these would give an attacker a foothold. From there, lateral movement within a cloud environment can be remarkably straightforward if logging and detection controls are not in place.
What Does an Attack Surface Look Like at Institutional Scale?
Large organisations — governments, financial institutions, multinationals — tend to have complex, distributed cloud environments that have grown organically over years. New workloads get spun up. Old ones are forgotten but not decommissioned. Shadow IT introduces assets that the security team never catalogued. The result is an attack surface that is larger than anyone realises. This is precisely the problem that continuous attack surface management exists to solve. Tools like Hadrian, which Kyanite Blue offers as part of its security stack, map an organisation's external-facing infrastructure automatically and continuously. Rather than waiting for an annual penetration test to reveal exposed services or misconfigured assets, organisations get a live picture of what attackers can see — and what they might try first. The distinction between a point-in-time assessment and continuous monitoring matters enormously. A penetration test conducted in January tells you nothing about the misconfigured S3 bucket a developer created in March. Attackers do not wait for your next scheduled review. They scan continuously, and your defences need to match that tempo. For UK businesses managing cloud workloads — whether on AWS, Azure, or Google Cloud — the question is not whether your environment was secure when you last checked it. The question is whether it is secure right now, and whether you would know if something changed overnight. You can explore how Hadrian addresses this at /products/hadrian.
How Do Attackers Monetise Cloud Breaches Beyond Ransomware?
When most people think of a cloud breach, they think of ransomware: encrypt the data, demand payment, cause chaos. That threat is real, but it is not the only one — and in high-value institutional targets, it may not even be the primary objective. Data exfiltration is increasingly the goal. Sensitive documents, communications, internal reports, or personally identifiable information all have value: for espionage purposes, for future extortion, for sale on criminal forums, or for geopolitical leverage. The European Commission handles policy negotiations, legislative drafts, internal communications, and data that governments and corporations would pay dearly to access. The challenge with exfiltration is that it is quiet. An attacker who is extracting data at low volumes over an extended period generates far less noise than one deploying ransomware. By the time the breach is discovered, the data has already left. This is the specific threat that anti data exfiltration technology is designed to counter. BlackFog, which Kyanite Blue provides to clients, operates at the device level to detect and block unauthorised data leaving the network — regardless of whether the exfiltration method is recognised malware or a novel technique. It works by monitoring outbound data behaviour rather than relying solely on signature-based detection. For organisations managing sensitive information in cloud environments, that behavioural layer is the difference between catching an exfiltration attempt in progress and reading about it in a breach notification three months later. Find out more at /products/blackfog.
What Should UK and NZ Organisations Take From This Incident?
It would be easy to look at a breach involving the European Commission's infrastructure and conclude it is someone else's problem. That reasoning is flawed in two directions. First, the attack techniques used against large institutions are the same ones used against mid-market businesses. Attackers do not reserve credential stuffing, misconfiguration exploitation, or supply chain compromise for governments. These are scalable, automated techniques that work regardless of the size of the target. Second, cloud security maturity in the UK mid-market lags behind where it needs to be. A 2023 survey by the UK Department for Science, Innovation and Technology found that 32% of UK businesses reported a cyber attack or breach in the previous 12 months, with phishing and misconfiguration among the leading causes. Mid-sized organisations managing cloud workloads often lack the dedicated cloud security expertise to configure and monitor their environments correctly. For businesses in New Zealand and Australia, the threat landscape is comparable. Ransomware groups and state-affiliated threat actors operate across borders; geography provides no protection. Organisations in those markets using ESET for endpoint protection get a strong baseline, but endpoint security alone does not address cloud misconfiguration, supply chain risk, or data exfiltration via non-traditional channels. A layered approach is the only one that holds. You can find out how Kyanite Blue supports organisations in New Zealand at /new-zealand and across Australia at /australia.
The Supply Chain Angle Nobody Is Talking About
Cloud infrastructure breaches rarely stay contained to the primary target. If the European Commission's cloud environment was compromised, the natural next question is what else was connected to it. Third-party vendors with API integrations, partner organisations sharing data, contractors with access credentials — all of these represent potential downstream exposure. Third-party supply chain risk has moved from a niche concern to a primary attack vector. The 2020 SolarWinds compromise and the 2023 MOVEit vulnerabilities both demonstrated how a single point of weakness in a supply chain can expose hundreds or thousands of downstream organisations. The European Commission has an exceptionally broad supplier and partner ecosystem. For organisations that want visibility into the security posture of their vendors and third parties, Panorays offers continuous supply chain risk monitoring. It assesses external-facing security signals for your supplier base and flags deteriorating posture before it becomes your problem. At /products/panorays, you can see how this applies to organisations managing complex vendor relationships. The principle is straightforward: you are only as secure as the weakest organisation that has access to your environment. In a cloud context, where integrations and shared access are standard practice, that principle applies with particular force.
Three Security Controls That Would Have Reduced the Blast Radius
Without confirmation of the specific attack vector, it is not possible to say definitively what would have prevented this breach. What is possible is identifying the controls that consistently reduce the impact of cloud compromise, regardless of how the attacker got in. These are not theoretical mitigations. They are the baseline that any organisation managing sensitive data in cloud environments should have in place.
- Continuous attack surface monitoring: Know what is exposed before attackers do. Automated, continuous scanning of your external infrastructure catches newly exposed assets and misconfigurations before they are exploited. Hadrian provides this capability with AI-driven prioritisation so remediation effort goes where it matters most.
- Anti data exfiltration controls: If an attacker achieves access, the next objective is data theft. Behavioural controls that monitor and block outbound data flows — independent of whether the technique is known — significantly limit what an attacker can take. BlackFog operates at this layer.
- Third-party access governance: Restrict and audit what external parties can access in your cloud environment. Panorays provides continuous visibility into your suppliers' security posture, flagging risks before they create exposure in your environment.
Frequently Asked Questions
How do attackers commonly breach cloud environments like AWS?
The most common cloud breach methods are compromised credentials, over-privileged service accounts, misconfigured storage (such as exposed S3 buckets), and vulnerabilities in internet-facing applications hosted on cloud infrastructure. According to the 2024 Verizon Data Breach Investigations Report, misconfiguration and misuse are consistently among the leading causes of cloud-related incidents, not sophisticated zero-day exploits.
What is the shared responsibility model in cloud security?
The cloud shared responsibility model divides security obligations between the provider and the customer. The cloud provider (such as AWS) secures the physical infrastructure and underlying network. The customer is responsible for identity and access management, data encryption, network configuration, and monitoring. Many breaches occur because customers assume the provider handles more than it does.
How can UK businesses protect themselves from the same type of cloud breach?
UK businesses should implement continuous attack surface monitoring to detect exposed cloud assets in real time, deploy anti data exfiltration controls to block unauthorised data leaving their environment, and maintain active visibility into third-party supplier access. Point-in-time assessments such as annual penetration tests leave gaps that attackers exploit in the months between reviews.