CloudTech is part of the TechForge Publications seriesView AllAI NewsDeveloperIoT NewsMarketing TechTechHQTech Wire AsiaTelecomsView AllAI NewsDeveloperIoT NewsMarketing TechTechHQTech Wire AsiaTelecomsTechForge SearchNewsCategoriesCloud in ActionCloud MigrationCloud ROI & CostInternal Change ManagementMissteps & LessonsSME & Startup CloudEditorial DeskAnnouncements & AnalysisForecasts & TrendsMigrations: Behind the ScenesTechEx EventsFeaturesInterviewsPodcastsSponsored ContentVideosWebinarsFuture of CloudAI & CloudCloud EthicsEdge & Distributed CloudOpen CloudQuantum & CloudServerless ArchitectureSustainable CloudIndustry PerspectivesEducation & ResearchFinanceHealthcare & Life SciencesLegal & HRMedia, Gaming & CreativePublic SectorRetail & ConsumerMarket IntelligenceCloud StartupsEarnings & Market ShareEvent CoverageMergers & AcquisitionsVendor Roadmaps & LeadershipSecurity, Privacy & TrustCloud CybersecurityCyber Security & Cloud ExpoEncryption & Data PrivacyGovernance, Risk & ComplianceIdentity & AccessStrategy & Decision-MakingChoosing a Cloud StrategyFinOps & BudgetsLock-In & ExitMulti- & Hybrid CloudProcurement & ContractsSkills & HiringTechnology StackBig VendorsContainers & KubernetesDatabases & Data PlatformsInfrastructure as CodeObservability & MonitoringXaaS ModelsEventsResourcesOn-demand WebinarsExclusive VideosPodcastsAll ResourcesMoreAdvertiseAbout UsContact Us SearchNewsCategoriesCloud in ActionCloud MigrationCloud ROI & CostInternal Change ManagementMissteps & LessonsSME & Startup CloudEditorial DeskAnnouncements & AnalysisForecasts & TrendsMigrations: Behind the ScenesTechEx EventsFeaturesInterviewsPodcastsSponsored ContentVideosWebinarsFuture of CloudAI & CloudCloud EthicsEdge & Distributed CloudOpen CloudQuantum & CloudServerless ArchitectureSustainable CloudIndustry PerspectivesEducation & ResearchFinanceHealthcare & Life SciencesLegal & HRMedia, Gaming & CreativePublic SectorRetail & ConsumerMarket IntelligenceCloud StartupsEarnings & Market ShareEvent CoverageMergers & AcquisitionsVendor Roadmaps & LeadershipSecurity, Privacy & TrustCloud CybersecurityCyber Security & Cloud ExpoEncryption & Data PrivacyGovernance, Risk & ComplianceIdentity & AccessStrategy & Decision-MakingChoosing a Cloud StrategyFinOps & BudgetsLock-In & ExitMulti- & Hybrid CloudProcurement & ContractsSkills & HiringTechnology StackBig VendorsContainers & KubernetesDatabases & Data PlatformsInfrastructure as CodeObservability & MonitoringXaaS ModelsEventsResourcesOn-demand WebinarsExclusive VideosPodcastsAll ResourcesMoreAdvertiseAbout UsContact Us Subscribe Subscribe SearchNewsCategoriesCloud in ActionCloud MigrationCloud ROI & CostInternal Change ManagementMissteps & LessonsSME & Startup CloudEditorial DeskAnnouncements & AnalysisForecasts & TrendsMigrations: Behind the ScenesTechEx EventsFeaturesInterviewsPodcastsSponsored ContentVideosWebinarsFuture of CloudAI & CloudCloud EthicsEdge & Distributed CloudOpen CloudQuantum & CloudServerless ArchitectureSustainable CloudIndustry PerspectivesEducation & ResearchFinanceHealthcare & Life SciencesLegal & HRMedia, Gaming & CreativePublic SectorRetail & ConsumerMarket IntelligenceCloud StartupsEarnings & Market ShareEvent CoverageMergers & AcquisitionsVendor Roadmaps & LeadershipSecurity, Privacy & TrustCloud CybersecurityCyber Security & Cloud ExpoEncryption & Data PrivacyGovernance, Risk & ComplianceIdentity & AccessStrategy & Decision-MakingChoosing a Cloud StrategyFinOps & BudgetsLock-In & ExitMulti- & Hybrid CloudProcurement & ContractsSkills & HiringTechnology StackBig VendorsContainers & KubernetesDatabases & Data PlatformsInfrastructure as CodeObservability & MonitoringXaaS ModelsEventsResourcesOn-demand WebinarsExclusive VideosPodcastsAll ResourcesMoreAdvertiseAbout UsContact Us Hamburger Toggle Menu Announcements & Analysis, Cloud Computing, Cloud Cybersecurity, Editorial Desk, Security, Privacy & TrustThe cloud security complexity gap just hit the European Commission, and the data suggests it was predictable.Dashveenjit Kaur6th April 2026 Share this story: Tags:AWS securityCERT-EUCloud misconfigurationCloud security complexityCloud threat detectionCredential theftCybersecurity & Cloud ExpofortinetMulti-cloud securityShinyHuntersSupply chain attackTool sprawlCategories::Announcements & AnalysisCloud ComputingCloud CybersecurityEditorial DeskSecurity, Privacy & TrustThe recent breach of the European Commission’s cloud infrastructure was contained quickly enough that Europa.eu websites stayed online throughout.By most visible measures, it looked like a limited incident.The forensic picture that has emerged since tells a different story.CERT-EU published its technical breakdown on April 3.
Attackers acquired an AWS API key on March 19 through the Trivy supply chain compromise – a security scanner the Commission was running as part of its cloud tooling.That single compromised key granted control over other AWS accounts affiliated with the Commission.From there, the attackers used TruffleHog to scan for additional secrets and validate credentials before beginning reconnaissance. ShinyHunters, the group linked to recent supply chain attacks across multiple tools, has since been confirmed as responsible.
Approximately 340GB of data was stolen and subsequently leaked.What made the breach possible was not a gap in the Commission’s perimeter. It was the complexity of its cloud environment – the sprawl of tools, accounts, and credential dependencies – that, when one element is compromised, can cascade across the rest.The Commission had a security scanner.
That scanner was compromised.The scanner had access to API keys.Those keys had access to other accounts.The investigation found no evidence of lateral movement between accounts, but the pathway existed.
This reflects the structural problem described in the 2026 State of Cloud Security Report, sponsored by Fortinet and produced by Cybersecurity Insiders from a survey of 1,163 security professionals worldwide, published three months before the Commission breach.The anatomy of a complexity gapThe Fortinet-sponsored report identified what it calls a cloud security complexity gap: not a funding shortfall, not a technology failure, but a structural mismatch between how fast cloud environments grow and how well security teams can actually see and control them.Almost 70% of organisations cite tool sprawl and visibility gaps as the top barriers to effective cloud security.Security solutions have expanded alongside cloud adoption, but frequently without coordination, resulting in disconnected tools, inconsistent controls, and limited end-to-end visibility. Teams are forced to manually correlate alerts from systems that were not designed to work together.The Commission breach fits this pattern precisely.
A third-party security tool, sitting inside the cloud environment with the credentials needed to do its job, became the entry point.The tool was doing what it was supposed to do.The problem was that nobody had a full picture of what that tool could reach.88% of organisations now operate in hybrid or multi-cloud environments, up from 82% the previous year.
Among them, 81% rely on two or more cloud providers for critical workloads, and 29% are using more than three. Each additional provider, service, and tool creates new credential dependencies and permission paths.The infrastructure scales by design.The attack surface scales with it.Stretched teams, machine-speed threatsThe Fortinet report identifies two further reinforcing factors behind the complexity gap.
74% of those surveyed report an active shortage of qualified cybersecurity professionals, while 59% say their organisations are still in the early stages of cloud security maturity.Understaffed teams managing overcomplicated environments are slower to detect anomalies and slower still to trace them across disconnected systems.The Commission’s Cybersecurity Operations Centre detected unusual API activity on March 24, but the initial access had occurred five days earlier, on March 19.CERT-EU was notified on March 25.
This meant five days of undetected access in a cloud environment where credential misuse had already begun.The gap between intrusion and detection is not a failure of effort; it is what happens when environments are complex enough that normal activity becomes indistinguishable from abnormal activity until something flags it.Threat actors are employing automation to uncover misconfigurations, map permission paths, and identify exposed data faster than human-led defences can respond.66% of cybersecurity professionals say they lack strong confidence in their ability to detect and respond to cloud threats in real time.More tools, not better outcomesThe instinctive response to a breach like this is to add more monitoring, more scanning, more tooling.The Fortinet report suggests this response is part of the problem it is meant to solve. When asked how they would design their cloud security strategy if starting from scratch, 64% of respondents said they would build around a single-vendor platform unifying network, cloud, and application security – not because of vendor preference, but because the integration overhead of managing multiple disconnected tools is itself a security liability.
Every additional tool is another credential.Another permission set.Another potential Trivy.The Commission breach is not an outlier that reveals a unique institutional vulnerability.
It is an illustration of conditions that the Fortinet data suggests exist across the majority of enterprise cloud environments right now.The complexity is the risk.And the complexity is still growing.See also: 10 real-life cloud security failures and what we can learn from themWant to learn more about Cloud Computing from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.
The comprehensive event is part of TechEx and is co-located with other leading technology events, click here for more information.CloudTech News is powered by TechForge Media.Explore other upcoming enterprise technology events and webinars here.About the Author Dashveenjit KaurJournalist Dashveenjit is an experienced tech and business journalist with a determination to find and produce stories for online and print daily.She is also an experienced parliament reporter with occasional pursuits in the lifestyle and art industries.Related Spending more on security, encrypting less: the cloud data encryption gap nobody is talking about6th April 2026 Comparing Microsoft CSP partners in Boston: Which one is right for you?2nd April 2026 Cloud costs rise as AI moves into core business systems1st April 2026 Red Hat’s 2026 report exposes the cloud-native security execution gap–and how to close it1st April 2026 Spending more on security, encrypting less: the cloud data encryption gap nobody is talking about6th April 2026 Comparing Microsoft CSP partners in Boston: Which one is right for you?2nd April 2026 Cloud costs rise as AI moves into core business systems1st April 2026 Red Hat’s 2026 report exposes the cloud-native security execution gap–and how to close it1st April 2026 Join our CommunitySubscribe now to get all our premium content and latest tech news delivered straight to your inbox Click here Popular Cloud ROI & Cost, Interviews, Sponsored Content, Sustainable CloudRipple effect: Xylem’s sustainable water solutions for Europe’s data centres 20451 view(s)Cloud Computing, XaaS ModelsConcern over cloud storage security remains says Spiceworks – but good news for OneDrive 12603 view(s)Big Vendors, Cloud Computing, Cloud Cybersecurity, Market Intelligence, Security, Privacy & Trust10 real-life cloud security failures and what we can learn from them 5956 view(s)Big Vendors, Cloud Computing, Market Intelligence5 of the best: cloud technology training platforms 5882 view(s)Cloud ROI & Cost, Interviews, Sponsored Content, Sustainable CloudRipple effect: Xylem’s sustainable water solutions for Europe’s data centres 20451 view(s)Cloud Computing, XaaS ModelsConcern over cloud storage security remains says Spiceworks – but good news for OneDrive 12603 view(s)Big Vendors, Cloud Computing, Cloud Cybersecurity, Market Intelligence, Security, Privacy & Trust10 real-life cloud security failures and what we can learn from them 5956 view(s)Big Vendors, Cloud Computing, Market Intelligence5 of the best: cloud technology training platforms 5882 view(s) See all Latest View All Latest AI & Cloud1st April 2026Cloud costs rise as AI moves into core business systems AI & Cloud1st April 2026Red Hat’s 2026 report exposes the cloud-native security execution gap–and how to close it Big Vendors31st March 2026Tata SD-WAN for DC connectivity in the AI age AI & Cloud1st April 2026Cloud costs rise as AI moves into core business systems AI & Cloud1st April 2026Red Hat’s 2026 report exposes the cloud-native security execution gap–and how to close it Big Vendors31st March 2026Tata SD-WAN for DC connectivity in the AI age SubscribeAll our premium content and latest tech news delivered straight to your inbox Subscribe ExploreAbout UsContact UsNewsletterPrivacy PolicyCookie PolicyAbout UsContact UsNewsletterPrivacy PolicyCookie PolicyReach Our AudienceAdvertisePost a Press ReleaseContact UsAdvertisePost a Press ReleaseContact UsCategoriesCloud in ActionEditorial DeskFeaturesFuture of CloudIndustry PerspectivesMarket IntelligenceSecurity, Privacy & TrustTechnology StackStrategy & Decision-MakingAll CategoriesCloud in ActionEditorial DeskFeaturesFuture of CloudIndustry PerspectivesMarket IntelligenceSecurity, Privacy & TrustTechnology StackStrategy & Decision-MakingAll CategoriesOther PublicationsExplore AllAI NewsDeveloperIoT NewsMarketing TechTechHQTech Wire AsiaTelecomsExplore AllAI NewsDeveloperIoT NewsMarketing TechTechHQTech Wire AsiaTelecomsCloudTech News is part of TechForge SubscribeAll our premium content and latest tech news delivered straight to your inbox
Read More
