In March 2026, threat actor group ShinyHunters published a dataset exceeding 350GB in volume, sourced from the European Commission's cloud infrastructure hosted on Amazon Web Services. The breach originated through a supply-chain compromise of Trivy, an open-source container security scanner widely used across public and private sector environments. The compromised dependency allowed the attackers to gain initial access to the Commission's AWS environment, from which they moved laterally across connected services.
The published data includes DKIM email authentication keys, internal email correspondence, NextCloud file storage contents, and staff personnel records — an exposure that spans both operational and personal data categories. Approximately 30 EU entities are understood to have been affected, though the full scope of the breach is still being assessed. The compromise of DKIM keys is particularly concerning, as it could enable the spoofing of legitimate Commission email domains in future phishing campaigns.
The incident has triggered notification obligations under both the GDPR and the EU's own institutional data protection framework. Under Article 33 of the GDPR, any controller affected by the breach must notify its supervisory authority within 72 hours of becoming aware of a personal data breach likely to result in a risk to individuals' rights and freedoms. Where the risk is high, Article 34 requires direct communication to affected individuals. The scale of the exposed personnel records suggests that both obligations are likely to be engaged for multiple entities.
The breach also illustrates a pattern that has become impossible to ignore: the weaponisation of open-source software dependencies as an attack vector against high-value targets. The Trivy compromise follows a series of supply-chain incidents — including the XZ Utils backdoor in 2024 — that have demonstrated how a single compromised component in the software supply chain can cascade across thousands of organisations.
Acompli perspective: Supply-chain attacks do not respect organisational boundaries — and they trigger the same GDPR obligations as any other personal data breach. Organisations should ensure their risk management frameworks explicitly cover open-source and third-party software dependencies, that their records of processing identify where cloud-hosted data resides and who has access, and that their breach response procedures account for incidents that originate outside their own infrastructure. If your third-party risk assessments do not cover the software tools your processors use — not just the processors themselves — this breach is a case study in why they should.