The European Commission disclosed last week that attackers breached its cloud infrastructure and made off with more than 350 GB of data, including mail server dumps, database exports and internal documents. The breach, claimed by the ShinyHunters group, hit the Commission’s Amazon Web Services environment — not through an AWS vulnerability, but by compromising the account management layer that controlled access to the cloud setup, as reported by TechCrunch.

That distinction matters for every Australian not-for-profit running workloads in the cloud. The attack didn’t exploit some exotic zero-day in AWS itself. It targeted the credentials and access controls that the Commission used to manage its own cloud environment. This is precisely the kind of risk that NFPs face: you’ve moved to the cloud (good), but the responsibility for securing your account, your access keys, and your identity management doesn’t move with it. Under the Australian Privacy Act, organisations that hold personal data — donors, volunteers, beneficiaries — are on the hook regardless of where that data physically sits. The OAIC has made it clear through its 2026 compliance sweep that it expects organisations to understand and manage their data handling end-to-end.

If your NFP uses AWS, Azure, or Google Cloud, now is a good time to audit your cloud access controls. At a minimum: enable multi-factor authentication on every account with cloud admin access, review who has permissions and revoke anything that’s no longer needed, and make sure your cloud credentials aren’t sitting in a shared spreadsheet somewhere. If you haven’t reviewed your cloud security posture in the last six months, treat this as your prompt to do it.

Not-for-profits often have limited IT resources, which makes this kind of hygiene easy to overlook. All IT Services supports NFPs with cloud security reviews and ongoing managed IT that keeps these fundamentals covered without needing a full-time security team.