European Commission discloses breach that exposed staff data

Source: Bleeping Computer

Breach overview

The European Commission is investigating a breach after finding evidence that its mobile device management (MDM) platform was hacked. On 30 January, the Commission detected traces of a cyber‑attack targeting the infrastructure that manages staff mobile devices. While attackers may have accessed some staff members’ personal information—such as names and phone numbers—the Commission has not found evidence that the mobile devices themselves were compromised.

Commission statement

“On 30 January, the European Commission’s central infrastructure managing mobile devices identified traces of a cyber‑attack, which may have resulted in access to staff names and mobile numbers of some of its staff members,” the Commission said in its press release.
“The Commission’s swift response ensured the incident was contained and the system cleaned within 9 hours. No compromise of mobile devices was detected.”
Source

Related legislative context

The breach follows the Commission’s proposal of new cybersecurity legislation announced on 20 January, aimed at strengthening defenses against state‑backed and cybercrime groups targeting critical infrastructure.
Read more about the proposal

Similar incidents in Dutch authorities

The Dutch Data Protection Authority and the Council for the Judiciary reported nearly identical breaches, confirming that attackers exploited vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) to access employee names, business email addresses, and telephone numbers.

“On January 29, the National Cyber Security Center (NCSC) was informed by the supplier of vulnerabilities in EPMM. EPMM is used to manage mobile devices, apps, and content, including their security,” the Dutch authorities said.
“It is now known that work‑related data of AP employees, such as names, business email addresses, and telephone numbers, have been accessed by unauthorized persons.”
Source

Ivanti vulnerabilities

Ivanti, a provider of enterprise mobility management software, warned on 29 January of two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) that were exploited in zero‑day attacks:

• CVE‑2026‑1281
• CVE‑2026‑1340

Both flaws are code‑injection vulnerabilities that allow remote attackers to execute arbitrary code on unpatched devices without authentication.
Details on the vulnerabilities

Response

A European Commission spokesperson was not immediately available for comment when contacted by BleepingComputer.