The Dutch National Cyber Security Centre (NCSC) has issued a clear warning after reviewing multiple recent incidents: improperly configured cloud environments are becoming one of the most common routes to serious data breaches in European organisations, and the threat does not require a sophisticated attacker to succeed.

Automated Scanners Do the Work

The NCSC found that cybercriminals are using automated tools to continuously scan the internet for cloud misconfigurations at scale. When an exposed resource is found, the attacker sends what appears to be an entirely legitimate request to retrieve the data.

That last detail is critical: the access traffic is functionally indistinguishable from normal usage. There is no exploit to signature-match, no payload to flag, no anomalous connection pattern to alert on. Standard perimeter defences and many log analysis tools will show nothing unusual.

The Exposure Goes Well Beyond Storage Buckets

While exposed cloud storage objects receive the most attention, the NCSC highlighted a wider range of commonly misconfigured assets that are actively being exploited:

• Storage buckets set to public read without intent (AWS S3, Azure Blob, Google Cloud Storage)
• API credentials and service account keys committed to repositories or left in environment variables
• Over-permissive IAM and RBAC policies that give service accounts far more access than their function requires
• Publicly exposed management interfaces such as Kubernetes dashboards or database admin panels without authentication
• Misconfigured identity federation settings that allow external identities to assume internal roles

The common thread is that each of these is the result of a configuration decision, not a software vulnerability. They can exist for months or years before being discovered, either by your own team or by a scanner operated by a criminal.

GDPR Makes Misconfiguration a Regulatory Event

For European organisations, the legal stakes compound the technical risk. Under GDPR, an attacker downloading personal data through a publicly accessible bucket constitutes a personal data breach regardless of how access was gained. The organisation is required to assess whether the incident is notifiable to supervisory authorities within 72 hours, and potentially to data subjects themselves.

Misconfiguration-driven breaches are not treated more leniently than intrusion-driven ones. Several enforcement actions in recent years have resulted in significant fines for organisations whose data was accessed via misconfigured resources that had no business being publicly accessible.

What the NCSC Recommends

The NCSC’s guidance calls for continuous oversight rather than periodic audits, and distinguishes between two failure modes: errors made at initial deployment and configuration drift that accumulates over time as environments evolve.

Recommended controls include:

1. Maintain a current inventory of all cloud accounts, projects, storage resources, and service identities
2. Enable cloud provider security posture tools such as AWS Security Hub, Microsoft Defender for Cloud, or GCP Security Command Center, and act on their findings
3. Enforce least-privilege for every service account, IAM role, and API credential from the point of creation
4. Scan infrastructure-as-code before deployment to catch misconfigurations in pipelines rather than in production
5. Regularly review public-access settings for storage and network resources, especially after infrastructure changes

The agency emphasised that occasional checks are not sufficient. Configuration state in a live cloud environment changes continuously as teams deploy new services, and the gap between an accidental misconfiguration and its exploitation can be measured in hours.

Protecting Your Organisation

Cloud misconfiguration is one of the most preventable categories of data breach, and one of the most consistently underestimated. The risk is not theoretical: the NCSC based its warning on real incidents affecting real European organisations.

If your organisation runs workloads on AWS, Azure, Google Cloud, or Hetzner and does not have a structured programme for ongoing configuration review, now is the time to establish one.

Excello Digital works with European businesses to audit cloud environments, implement security posture management tooling, and establish configuration standards that prevent misconfigurations from reaching production. Contact our team to discuss where your cloud estate stands today.