AWS was not compromised in March 2026. The European Commission’s AWS account was. That distinction is not a technicality. It is the entire point of this incident.

The European Commission confirmed that attackers accessed part of its cloud infrastructure hosted on AWS and that data was taken from its public-facing Europa.eu websites. The attack was detected on March 24. The Commission’s internal IT systems were not affected, and the Europa.eu sites remained online throughout. The official EC statement read: “The Commission discovered a cyber-attack, which affected part of our cloud infrastructure. Early findings of our ongoing investigation suggest that data have been taken from those websites. The Commission is duly notifying the Union entities who might have been affected.”

AWS responded the same day: “AWS did not experience a security event, and our services operated as designed.” The platform ran as intended. Whatever allowed the attackers in existed entirely on the customer side of the boundary.

Fire and power cuts at an AWS data centre in the UAE trigger a long cloud outage

The Attack Surface Was the Account, Not the Platform

When cloud providers respond to breach disclosures involving their infrastructure, they routinely point to the shared responsibility model. AWS’s statement here does exactly that. The platform ran as intended. Whatever allowed attackers access to the EC’s AWS environment, it existed on the customer side of the boundary: account credentials, IAM configurations, access policies, or some combination of these.

For hosting executives and cloud operators, this is the operative lesson. No amount of platform-level security by a hyperscaler protects workloads if the credentials, roles, or access controls governing those workloads are compromised. The attack surface in a cloud deployment is not the data center. It is the account.

A group calling itself ShinyHunters claimed responsibility for the breach on its dark web leak site. ShinyHunters is a financially motivated extortion group with a documented history of credential theft via social engineering and voice phishing. Prior targets attributed to the group include Ticketmaster, AT&T (which reportedly paid a $370,000 ransom), Match Group, and SoundCloud. The group’s methodology is consistent with the attack vector multiple security analysts identified as likely in this case.

That attribution, however, comes from the group’s own claim and from reporting by BleepingComputer and HackRead. The European Commission has not confirmed who carried out the attack. Security expert Ilia Kolochenko speculated publicly that the attackers could be “cyber mercenaries hired by a nation state,” but that is not confirmed attribution, it is analytical speculation. Nick Tausek of Swimlane separately flagged downstream risks including identity exposure, operational disruption, and targeted spear-phishing campaigns using any stolen data as a foundation.

What Is Confirmed, What Is Alleged

ShinyHunters claimed to have extracted 350GB of data, releasing approximately 90GB publicly as a sample. The alleged stolen material includes mail server data, databases, and confidential documents and contracts. The European Commission has confirmed only that “data have been taken.” It has not confirmed the volume, the categories, or the specifics alleged by the attackers. No 350GB figure has been verified by the EC or by any independent party.

What the EC has confirmed is narrow but significant: some data left its cloud environment, its internal systems were not affected, and it is notifying EU entities that may have been impacted. Everything beyond that remains unconfirmed or alleged.

NIS2 Is Reshaping Hosting Whether You Are Ready or Not.

The Second Breach in Two Months

This incident does not stand alone. In late January 2026, the European Commission suffered a separate breach through vulnerabilities in Ivanti Endpoint Manager Mobile, affecting its mobile device management environment. The same Ivanti EPMM vulnerabilities were also exploited against Dutch and Finnish government agencies during the same window.

Two confirmed breaches of EC systems within roughly eight weeks raises questions that go beyond any single incident’s technical details. It points to pressure on the broader posture of how a major public institution manages its exposure across a complex, multi-vendor technology environment. For hosting companies and managed service providers working with public sector clients, this context is worth holding. Large institutions are active targets, and the question is not whether they will be targeted but whether account-level controls and monitoring are sufficient to catch or prevent credential-based access before data moves.

What This Means for Hosting Executives

Three things directly relevant to the hosting and cloud industry come out of this incident.

First, the account security problem. If your customers are running workloads on AWS, Azure, GCP, or any hyperscaler, and their account credentials or IAM configurations are the weak point, the platform’s own security posture is irrelevant to the outcome. Hosting companies and MSPs that provision or manage cloud environments on behalf of customers carry real exposure if account-level controls are not part of the service scope. This incident, where the attackers appear to have operated entirely within the customer account boundary, is a direct illustration of that risk.

Second, the monitoring gap. The EC detected the attack on March 24 but confirmed it publicly between March 27 and 30. The gap between detection and disclosure is not unusual, but the fact that data was taken before detection was possible points to a gap in real-time alerting or behavioral monitoring within the account environment. Cloud-native logging and anomaly detection tools exist specifically to catch unusual data movement or access patterns. Whether those were in place and failed or were not in place is not yet public. Either scenario is a relevant reference point for hosting operators designing cloud management services.

Third, the EU cloud sovereignty angle. This breach lands in the middle of an already active political and commercial debate. Gaia-X CEO Ulrich Ahle has stated publicly: “The highest level of sovereignty for European end customers can only be provided by providers having their headquarters in Europe.” The US CLOUD Act means that US hyperscalers operating data centers inside the EU remain subject to US legal jurisdiction over customer data. One analyst quoted by CSO Online put it directly: “European companies may utilize this incident to promote digital sovereignty and ‘EU-made’ cloud. While data storage in Europe under management of European cloud providers will quite unlikely make any material change to the cloud security landscape, some organizations may be tempted to leave American vendors in favor of their European competitors.”

That last line is worth sitting with. A migration away from US hyperscalers driven by sovereignty concerns, not by this breach alone but by the accumulation of incidents and regulatory pressure, would represent a material commercial shift for European hosting providers and regional cloud operators. The breach did not cause that shift. But it will be cited in procurement conversations and political arguments that accelerate it.

What Comes Next

The EC’s investigation is ongoing. The Commission has begun notifying EU entities that may have been affected by data taken from the Europa.eu environment. No timeline for completing the investigation has been announced. Whether the ShinyHunters claim will be officially confirmed or refuted, and whether the alleged scope of 350GB and the categories of data described will be validated, remains to be seen.

The AWS shared responsibility line will not change. It does not need to. The question for hosting executives and managed service providers is whether their customers’ cloud accounts are secured to the same standard as their own infrastructure, or whether account-level controls are treated as the customer’s problem. If the answer is the latter, this incident is a useful illustration of where that assumption leads. The European Commission had AWS. AWS performed as designed. The data still left the building.