European Commission Confirms Data Breach After ShinyHunters Claims Intrusion

The European Commission has confirmed a data breach after hacking group ShinyHunters claimed responsibility for an intrusion into its systems, according to reporting by SC Media published Monday. ShinyHunters, a prolific threat actor responsible for several high-profile data thefts in recent years, posted claims of access to Commission systems on underground forums. The Commission's confirmation follows earlier reports that the group posted what it described as Commission data for sale. The European Commission is the executive arm of the European Union, overseeing regulatory policy including enforcement of the EU's AI Act, General Data Protection Regulation, and the Digital Markets Act. A breach of Commission systems raises concerns about the potential exposure of policy deliberations, personnel records, and communications with member states and industry. Details of the intrusion's scope, including what categories of data were accessed and how long the threat actor maintained access, were not immediately disclosed. ShinyHunters has a documented history of large-scale credential theft and database exfiltration, including a breach of AT&T that exposed records from approximately 73 million customers and a 2021 intrusion at Ticketmaster affecting 560 million records. The incident adds to a pattern of breaches involving European institutions. The European Central Bank, European Medicines Agency, and European Parliament have all experienced security incidents in recent years, raising questions about baseline cybersecurity standards across EU bodies. No attribution of the intrusion to a specific nation-state actor was made in initial reporting.