Council of Europe Data Breach Claimed by ShinyHunters

The Council of Europe is investigating claims of a data breach made by the extortion group ShinyHunters. The group claims it stole nearly 300 gigabytes of internal data from the organization. ShinyHunters listed the Council on its dark web leak site over the weekend. The group alleges the theft of payroll and personnel files belonging to more than 10,000 current and former staff members. The Council has not confirmed the incident, but a spokesperson said the organization is looking into the matter.

Founded in 1949, the Council of Europe represents 46 member states and a population of more than 700 million people. It operates separately from the European Union. The two bodies share a flag and are often confused with one another. The Council's mission centers on human rights, democracy, and the rule of law across the continent.

Scope of the Council of Europe Data Breach Claims

ShinyHunters says the archive it claims to have stolen totals roughly 429,000 files spread across multiple departments. The group names several departments as allegedly affected. Those include the Secretariat, the Parliamentary Assembly, and the Human Resources Directorate. The list also includes the European Directorate for the Quality of Medicines and HealthCare.

Within that archive, the group claims to hold more than 409,000 payslips. Those records reportedly cover payroll history from 2011 through 2026. The group also lists more than 14,000 CVs and over 3,700 internal personnel files. Additional records reportedly include contract files, travel expense data, interpreter scheduling logs, and salary scales.

The personal information allegedly exposed includes names, dates of birth, home addresses, and phone numbers. ShinyHunters also claims the files contain bank account numbers, tax records, and Social Security information. Medical records tied to individual staff members are reportedly included as well.

A Familiar Extortion Playbook

ShinyHunters runs a pay-or-leak model instead of deploying ransomware onto victim networks directly. The group posts a target to its leak site and publishes a sample of allegedly stolen data. It then sets a deadline for contact, and only after that deadline passes does it threaten a full release.

In this case, the group gave the Council until June 16, 2026, to respond. It warned of further disruption if no contact was made. That deadline lands today, though no confirmation of an actual leak has surfaced yet.

This pattern mirrors how ShinyHunters has handled other recent targets. The group pressures organizations into negotiation through public exposure rather than network encryption.

Part of a Broader 2026 Pattern

ShinyHunters built its reputation this year through a string of large-scale extortion campaigns rather than one attack method. Earlier in 2026, the group ran a long campaign against Salesforce Experience Cloud sites. It exploited misconfigured guest permissions to pull records from hundreds of organizations.

A separate supply chain compromise at an analytics vendor exposed Vimeo user data through a connected partner system. More recently, the group claimed a breach at dental benefits administrator DentaQuest. That breach reportedly exposed information tied to millions of Medicaid members.

Each campaign follows a similar arc. ShinyHunters claims a breach publicly and publishes samples to apply pressure. The group then sets a short window for negotiation before threatening a mass release.

Linked to a Wider PeopleSoft Campaign

The breach claim against the Council of Europe arrives days after ShinyHunters took credit for a separate wave of attacks. That campaign exploited a zero-day vulnerability in Oracle's PeopleSoft enterprise software. It already produced a confirmed breach at the University of Nottingham, affecting more than 450,000 current and former students. The same campaign reportedly touched over 100 organizations worldwide.

A representative for the group has reportedly described the Council as another victim of that same PeopleSoft exploitation wave. The group frames it as part of one campaign rather than a standalone intrusion. Oracle has not issued public comment tying the incidents together.

If accurate, the connection would place this alleged Council of Europe breach among a growing list of affected institutions. The campaign already ranks among the year's largest enterprise software exploitation efforts.

What the Exposed Data Could Mean

If the claims hold up, payroll and HR records carry long-term risk. They combine financial detail with personal identifiers in a single file. Bank account numbers paired with tax and Social Security details give attackers a strong base for identity theft.

Medical records add another layer of exposure. Health information rarely changes and cannot be reset the way a password can. Staff and contractors whose data spans 15 years face particular risk. Many have left the organization with no way to monitor what happens to their old records.

CVs and personnel files raise targeted phishing risk too. Detailed employment histories give attackers material for convincing impersonation attempts. Current staff and former employees alike may not expect contact from the Council again.

No Independent Confirmation Yet

No outside party has verified ShinyHunters' claims about the Council of Europe breach. The Council has offered no detail beyond confirming that an investigation is underway. Extortion groups routinely inflate file counts and data scope to increase pressure on victims. The final picture may differ from the initial leak site post.

International organizations face a harder path to breach response than private companies. They often answer to multiple member states and lack a single regulator to guide disclosure. The Council's next moves will matter. Whether it engages with ShinyHunters will shape what potentially affected staff and contractors eventually learn about their own exposure.

Current and former Council of Europe employees allegedly named in payroll records since 2011 have few options right now. The claims remain unverified. Security professionals generally recommend watching bank and tax statements closely. They also advise treating unsolicited calls or emails about employment details with suspicion and reporting unusual activity right away.