TL;DR: The European Commission, the body responsible for enforcing GDPR and issuing €7.1 billion in privacy fines, got breached twice in three months. In January, attackers exploited Ivanti zero-day vulnerabilities in its mobile device management platform and accessed staff names and phone numbers. On March 24, ShinyHunters raided its AWS cloud infrastructure and stole 350GB of data: email server contents, databases, confidential documents, a full SSO user directory, DKIM signing keys, and AWS configuration snapshots. The stolen DKIM keys let attackers forge emails that pass authentication from official EC domains. The Commission says its internal systems weren’t affected. Security researchers disagree about what that distinction even means anymore.
March 24: ShinyHunters Hit the Jackpot
ShinyHunters, the group behind the Ticketmaster breach (560 million records), the AT&T data theft (70 million subscribers), and the Snowflake supply chain attacks, went after the European Commission on March 24, 2026 [1].
They got in through an AWS account hosting the Europa.eu web platform. Not by breaking AWS itself. Amazon was quick to note that “AWS did not experience a security event” and that “its services operated as designed” [2]. The attackers exploited the Commission’s own access controls: a compromised account or misconfigured credentials.
What they took makes a typical data breach look like a parking ticket:
- 350GB of data from Europa.eu infrastructure
- Email server contents including emails and attachments
- Full SSO user directory (the authentication backbone of the Commission’s systems)
- DKIM signing keys (the cryptographic credentials that prove emails came from EC domains)
- AWS configuration snapshots (a blueprint of the Commission’s cloud architecture)
- Databases and confidential documents including contracts [3]
ShinyHunters isn’t demanding ransom. They’ve announced plans to dump everything publicly. This isn’t extortion. It’s reputational demolition.
The DKIM Time Bomb
Most breaches steal data. This one stole trust.
DKIM (DomainKeys Identified Mail) signing keys are the cryptographic proof that an email actually came from the domain it claims to come from. When your email client shows a message from @ec.europa.eu, DKIM is what verifies it’s legitimate [4].
With those keys in hand, ShinyHunters (or anyone they share or sell them to) can forge emails that pass standard authentication checks. Emails that look like they came from the European Commission. Emails that recipient servers will accept as genuine.
“DKIM signing keys and AWS config snapshots in the same breach is catastrophic,” security researchers noted. “With DKIM keys, ShinyHunters can forge emails that pass authentication from EU Commission domains, perfect for spear-phishing EU member states” [5].
Think about who trusts emails from the European Commission: 27 member state governments, NATO allies, trade partners, international organizations, thousands of lobbyists and regulators. Every one of them is now a phishing target with a forged sender they can’t easily detect.
Until the Commission confirms it has rotated all affected DKIM keys (and it hasn’t), every email from an EC domain should be treated with suspicion [4].
January 30: The First Breach Nobody Remembers
The March incident wasn’t the Commission’s first breach of 2026. It wasn’t even close.
On January 30, CERT-EU detected an intrusion into the Commission’s Mobile Device Management infrastructure, the system that manages staff-issued smartphones [6]. Attackers exploited two critical Ivanti Endpoint Manager Mobile zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340), both code-injection flaws that allowed unauthenticated remote code execution [7].
The Commission says it contained the incident within nine hours and that no mobile devices were compromised. But staff names and mobile phone numbers were accessed. And the same Ivanti vulnerabilities had already hit Dutch and Finnish government systems [7].
Nine hours is fast containment. Credit where it’s due. But the question isn’t whether they stopped one attack quickly. It’s whether they fixed the systemic problems that led to both breaches.
Two significant breaches in eight weeks, through two completely different attack vectors. That’s not bad luck. That’s a pattern.
€7.1 Billion in Fines. Zero Applied to Themselves.
Here’s where this gets painful.
Since GDPR took effect in May 2018, European data protection authorities have issued €7.1 billion in fines [8]. Meta alone has been hit for €4 billion. Amazon got a €746 million fine. TikTok, Clearview AI, Google, H&M: the Commission has built an entire enforcement apparatus dedicated to punishing organizations that fail to protect personal data.
The GDPR requires “appropriate technical and organisational measures” to protect personal data. It mandates breach notification within 72 hours. It demands data protection by design and by default.
The European Commission wrote those rules. Now it’s failing to meet them.
Staff names and phone numbers exposed in January. Emails, SSO directories, DKIM keys, confidential documents, and 350GB of data stolen in March. By the standards the Commission itself applies to private companies, this would trigger an investigation, mandatory disclosures, and potentially significant fines.
But EU institutions aren’t subject to GDPR enforcement the way private companies are. They fall under a separate regulation (Regulation (EU) 2018/1725) which applies to EU institutions but lacks the same enforcement teeth. The Commission is, in effect, grading its own homework.
“We Are Losing Massively”
The Commission’s own cyber chief knows the score.
In January 2026 (the same month as the first breach) Juhan Lepassaar, executive director of ENISA (the EU Agency for Cybersecurity), told Politico: “We are not catching up, we’re losing this game, and we’re losing massively” [9].
Lepassaar pointed to the numbers: in 2019, approximately 17,000 software vulnerabilities were logged globally. In 2025, more than 41,000. In 2019, attackers took about two months on average to exploit a new flaw. Now it takes one day.
The Commission’s response has been legislative: the NIS2 Directive for critical infrastructure cybersecurity, the Cyber Solidarity Act, a proposed overhaul of the Cybersecurity Act that would give ENISA 118 new staff. Rules. Frameworks. Directives.
ShinyHunters doesn’t read directives. They read misconfigured AWS credentials.
Who Are ShinyHunters?
ShinyHunters isn’t some amateur crew. They’re one of the most prolific data theft groups operating today, and they run BreachForums, one of the internet’s largest marketplaces for stolen data [10].
Their trophy case includes:
- Ticketmaster (2024): 560 million customer records, offered for $500,000
- AT&T (2021-2024): 70 million wireless subscriber records including SSNs
- Snowflake supply chain (2024): Compromised customers including Santander Bank and Neiman Marcus
- Wynn Resorts (2026): 800,000+ customer and employee records
- European Commission (2026): 350GB including DKIM keys and SSO directory
Their playbook is consistent: find the weakest link in an organization’s access management, extract maximum data, then either extort the victim or dump the data publicly. The EC breach fits the pattern perfectly: compromised cloud credentials, massive data extraction, public humiliation over ransom.
What This Means for Everyone Else
If the European Commission, with its cybersecurity agencies, regulatory frameworks, and institutional resources, can’t keep ShinyHunters out of its AWS accounts, what does that say about your organization’s chances?
Two things are true at once: GDPR has improved data protection standards globally, and the institution that created it can’t meet its own bar. Both of those matter.
The double breach exposes a gap between regulatory ambition and operational reality. The Commission has spent eight years building the world’s most sophisticated data protection framework. It passed NIS2. It’s implementing the AI Act. It fined Meta €1.2 billion.
And it left its AWS credentials exposed.
This isn’t an argument against regulation. The GDPR has forced real improvements in how companies handle personal data. But it is an argument that rules without resources don’t work. That writing cybersecurity legislation and actually doing cybersecurity are different skills. And that the attackers don’t care how many directives you’ve passed.
What Happens Next
- DKIM key rotation: Until the Commission confirms all affected signing keys have been rotated, forged emails from EC domains remain possible. Organizations that receive EC correspondence should verify through secondary channels
- Data dump: ShinyHunters has announced plans to release the 350GB publicly. When that happens, journalists and researchers will comb through confidential documents, policy discussions, and internal communications
- Parliamentary pressure: The European Parliament is unlikely to let this go quietly. Expect hearings, investigations, and demands for accountability from the Commission’s IT leadership
- Vendor audit: Two breaches through two different vectors (Ivanti and AWS access controls) means the Commission faces a full review of every third-party vendor and cloud configuration
- ENISA staffing: Lepassaar’s request for 118 new ENISA staff looks a lot more urgent now. The Commission just became Exhibit A in its own cyber chief’s argument
References
- SC Media: Data Breach Affirmed by European Commission After ShinyHunters Claims (March 2026)
- TechCrunch: European Commission Confirms Cyberattack After Hackers Claim Data Breach (March 27, 2026)
- Help Net Security: European Commission Cyberattack Cloud Infrastructure (March 30, 2026)
- ComplexDiscovery: The DKIM Problem: Why the European Commission Breach Threatens Inboxes Worldwide (March 2026)
- Twelvesec: The Silent Storm in Brussels: Decoding the ShinyHunters Breach (March 30, 2026)
- European Commission: Official Press Release on Mobile Infrastructure Breach (February 2026)
- The Register: European Commission Probes Breach of Staff Mobile Devices (February 9, 2026)
- DLA Piper: GDPR Fines and Data Breach Survey: €7.1 Billion Total (January 2026)
- Politico: “We’re Losing Massively”: EU Cyber Chief Warns Europe’s Defenses Lag (January 2026)
- Wikipedia: ShinyHunters
Published: April 1, 2026