CERT-EU has formally attributed a major breach of the European Commission to the cybercrime group TeamPCP, and named the notorious gang ShinyHunters as the actor responsible for leaking the stolen data publicly, according to the agency's findings.

The attribution places two distinct criminal actors at the centre of what appears to be a coordinated attack-and-release operation — a pattern increasingly common in high-profile cybercrime, where one group conducts the intrusion and another handles the dissemination of data to maximise pressure or profit.

A Two-Gang Operation Targeting the Heart of the EU

CERT-EU's findings suggest the breach involved at least two separate threat actors working either in collaboration or sequence. TeamPCP is believed to have conducted the initial intrusion into European Commission systems, while ShinyHunters — a group with a well-documented history of large-scale data theft and publication — subsequently released the stolen material online.

The attribution places two distinct criminal actors at the centre of what appears to be a coordinated attack-and-release operation.

ShinyHunters has previously been linked to breaches affecting hundreds of millions of individuals across multiple continents, including a 2021 leak of data from over 70 million AT&T customers and attacks on platforms including Tokopedia and Microsoft's GitHub repositories. The group's willingness to publish stolen data publicly — rather than solely seeking ransom — makes them a particularly disruptive force in the cybercrime ecosystem.

What Was Taken and Who Is Affected

CERT-EU has not yet disclosed the full scope of the data compromised in the European Commission breach, including the number of individuals or the categories of information involved. The European Commission houses sensitive administrative, policy, and personnel data, meaning the potential impact on both institutional operations and individual staff members could be substantial.

The human cost of breaches of this kind is well established. A 2023 IBM Cost of a Data Breach report, based on a study of 553 organisations, found that breaches involving government data carried an average cost of $2.6 million and frequently exposed personally identifiable information belonging to employees and citizens alike. Individuals whose data is leaked face elevated risks of phishing, identity theft, and credential-stuffing attacks in the months following publication.

ShinyHunters' History and the Growing Leak-as-Leverage Trend

The involvement of ShinyHunters in the public release of data reflects a broader tactical evolution in cybercrime. Rather than relying solely on ransomware encryption to extract payment, criminal groups increasingly use the threat — or act — of publishing sensitive data as a separate lever. This approach, sometimes called double extortion, forces organisations to weigh reputational and regulatory consequences alongside operational disruption.

For EU institutions, the regulatory stakes are particularly acute. The European Commission is both a legislator and enforcer of data protection standards under the General Data Protection Regulation (GDPR), meaning a breach of its own systems invites scrutiny not just from a security standpoint but from a compliance one as well.

TeamPCP is a less publicly documented group than ShinyHunters, and CERT-EU's naming of the gang publicly represents a significant step — formal attribution by a governmental cyber body carries legal and diplomatic weight, and can precede coordinated law enforcement action.

What Comes Next for EU Cyber Policy

The breach is likely to intensify pressure on EU institutions to accelerate implementation of the NIS2 Directive, the updated Network and Information Security framework that came into force in October 2024 and requires member states and key institutions to meet stricter cybersecurity standards. Critics have argued that uptake among public-sector bodies has been uneven.

CERT-EU is expected to release further technical indicators of compromise and guidance for organisations that may have been downstream targets of the same campaign. Law enforcement coordination through Europol and Eurojust is a probable next step given the formal attribution.

The incident also arrives at a moment of heightened geopolitical tension in Europe, though CERT-EU's statement focused on criminal, rather than state-sponsored, actors. Distinguishing between the two is increasingly difficult: criminal hacking groups frequently operate in grey zones, sometimes with the tacit tolerance of hostile states.

What This Means

For EU staff, contractors, and anyone whose data passes through European Commission systems, this breach is a concrete reminder that even the continent's most powerful institutions are not immune to sophisticated criminal intrusion — and that when data is leaked publicly, the exposure is effectively permanent.