The European Commission just confirmed a major cyberattack on its cloud infrastructure, marking one of the most significant breaches of EU government systems in recent memory. Hackers claim to have stolen massive amounts of data from the Commission’s cloud storage, though the full scope of the breach remains unclear. The incident raises fresh questions about the security of government cloud infrastructure and comes as the EU pushes aggressive cybersecurity regulations across member states.

The European Commission confirmed Friday it suffered a cyberattack after hackers reportedly breached its cloud storage systems and made off with what they claim is a trove of sensitive data. The admission marks a rare public confirmation of a security incident from the EU’s most powerful executive body, which oversees everything from competition policy to data protection rules affecting billions of people.

The Commission’s brief statement didn’t detail what data was stolen or how the attackers gained access, but the breach appears to have targeted cloud infrastructure that likely stores everything from internal communications to policy drafts and administrative records. Security researchers tracking the incident say the hackers posted proof of the breach on dark web forums, claiming they extracted “reams of data” before the Commission detected the intrusion.

What makes this breach particularly awkward is the timing. The EU has spent years positioning itself as the global leader in digital security and privacy, pushing through landmark legislation like GDPR and the recently enacted NIS2 directive that forces companies to beef up their cybersecurity defenses. Now the Commission finds itself scrambling to explain how its own systems were compromised, potentially exposing sensitive government information that could include everything from trade negotiations to regulatory investigations.

The incident also exposes the growing vulnerability of government cloud infrastructure. Like many organizations, the Commission has migrated significant portions of its IT operations to cloud services in recent years, seeking cost savings and flexibility. But that shift creates new attack surfaces – and Friday’s breach suggests those systems weren’t as locked down as they should have been.

Security experts say government breaches like this often start with basic entry points: phishing emails that trick employees into handing over credentials, unpatched vulnerabilities in legacy systems, or misconfigured cloud storage buckets left open to the internet. The Commission hasn’t said which attack vector was used here, but the hackers’ apparent access to cloud storage suggests either compromised credentials or exploitation of a misconfiguration.