EU Staff Data Exposed in European Commission Security Breach
â–¼ Summary
– The European Commission detected a cyberattack on its mobile device management platform, which may have exposed staff names and phone numbers, but no compromise of the mobile devices themselves was found.
– The incident is linked to similar attacks on European institutions exploiting vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software, as seen in breaches at Dutch and Finnish authorities.
– The Commission’s swift response contained and cleaned the system within nine hours, following its recent proposal of new cybersecurity legislation to bolster defenses.
– Ivanti had warned of two critical, exploitable vulnerabilities in its EPMM software that allow remote code execution without authentication, which were used in these zero-day attacks.
– Security monitoring by Shadowserver indicated over 50 Ivanti EPMM servers were likely compromised via one of these vulnerabilities, highlighting the widespread impact.
A significant cybersecurity incident has impacted the European Commission, with officials confirming a breach of the infrastructure used to manage staff mobile devices. The attack, detected on January 30th, potentially exposed the personal information of employees, including names and phone numbers. The Commission’s swift response contained the incident within nine hours, and investigators found no evidence that the mobile devices themselves were compromised. This event underscores the persistent threats facing major institutions and highlights the critical importance of robust mobile device management security.
Authorities have not publicly detailed the specific method of intrusion. However, the breach appears connected to a wider campaign targeting European entities through vulnerabilities in specific software. The attack methodology closely mirrors incidents reported by Dutch agencies, including the Data Protection Authority (AP) and the Council for the Judiciary. These organizations confirmed that attackers exploited security flaws in Ivanti Endpoint Manager Mobile (EPMM) software to access employee data such as names, business email addresses, and telephone numbers.
The timing of this breach is notable, occurring shortly after the European Commission proposed new cybersecurity legislation aimed at bolstering defenses against state-sponsored and criminal hacking groups. The incident serves as a real-world test case for the challenges of securing critical administrative infrastructure against sophisticated threats.
Further evidence of a coordinated campaign emerged from Finland, where a government ICT agency disclosed a separate breach potentially affecting tens of thousands of users. That intrusion also involved the exploitation of a zero-day vulnerability within a mobile device management service, pointing to a common attack vector.
When questioned about whether the Commission’s systems were compromised via Ivanti EPMM servers, a spokesperson directed inquiries to the official press statement, neither confirming nor denying the software’s involvement. The software provider, Ivanti, had previously issued a warning about two critical vulnerabilities in its EPMM product that were being actively exploited in zero-day attacks. These security flaws, identified as CVE-2026-1281 and CVE-2026-1340, allow remote attackers to execute arbitrary code on affected systems without requiring authentication.
Independent cybersecurity monitoring groups have since identified dozens of Ivanti EPMM servers online that show signs of compromise linked to these vulnerabilities. The European Commission continues its investigation into the full scope of the breach, working to determine the exact extent of the data access and to reinforce its systems against future attacks.
(Source: Bleeping Computer)
