European Commission Data Breach Tied to Trivy Supply Chain Vulnerability
Data Breach at the European Commission
The European Commission recently experienced a major data breach linked to the Trivy supply chain attack, resulting in the theft of over 300 GB of sensitive data.
Background
On March 24, hackers stole sensitive data from the European Commission’s Amazon Web Services (AWS) environment due to an API key being compromised in the Trivy supply chain attack carried out by the TeamPCP hacking group.
Investigation Findings
An investigation by the EU’s cybersecurity team revealed that the hackers accessed the AWS account using an API key compromised on March 19 in the supply chain attack on Aqua Security’s Trivy vulnerability scanner. The European Commission was unwittingly using a compromised version of Trivy during the relevant timeframe, having received it through normal software update channels.
Attack Details
Using the compromised AWS key, the attackers created and attached a new access key to a user account and carried out reconnaissance. This key granted control over other AWS accounts affiliated with the European Commission.
Exfiltrated Data
The exfiltrated data relates to websites hosted for up to 71 clients of the Europa web hosting service, including 42 internal clients of the European Commission and at least 29 other Union entities.
Actions Taken
Upon learning of the compromise, the EC took swift action to mitigate the damage. It revoked the compromised account’s rights, deactivated and rotated the compromised credentials, and notified the relevant data protection authorities.
"The European Commission was unwittingly using a compromised version of Trivy during the relevant timeframe, having received it through normal software update channels."
— CERT-EU
Further Analysis
Further analysis is ongoing to determine the extent of the breach. The European Commission has assured the public that it is working closely with its partners to address the situation and prevent similar incidents in the future.