Cyber Incident Victim: Council of Europe
Date:
Jun 2026
Location:
France
Summary
ShinyHunters claims to have breached the Council of Europe, exfiltrating nearly 300 gigabytes of data comprising over 429,000 files from departments such as HR, Secretariat, Parliamentary Assembly and the European Directorate for the Quality of Medicines and HealthCare. The stolen material reportedly includes payroll information for more than ten thousand employees, upwards of fourteen thousand curricula vitae, contract and purchase order records, absence and illness reports, bank account details, performance evaluations and payroll exports, together with personal identifiers such as names, IDs, addresses, phone numbers, dates of birth, tax and social security numbers and medical records. The group has threatened to publish the data unless contacted to negotiate, and it notes that the same actors have been associated with a series of extortion incidents targeting various organizations, including a recent campaign that leveraged a zero‑day flaw in Oracle PeopleSoft affecting roughly one hundred entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
ShinyHunters announced on June 15 2026 that it had breached the Council of Europe’s network and exfiltrated nearly 300 gigabytes of data, claiming to have taken over 429 000 files from multiple departments including human resources, the secretariat, the parliamentary assembly, and the European Directorate for the Quality of Medicines & HealthCare. The group stated that the stolen material encompasses payroll records for more than 10 000 employees spanning 2011 to 2026, over 14 000 curricula vitae, contract and purchase order documents, absence and illness reports, bank account information, performance evaluations, and payroll exports. Additionally, the alleged data set contains personal identifiers such as employee names, identification numbers, residential addresses, telephone numbers, dates of birth, tax and social security details, and medical records. ShinyHunters posted the claim on its Tor‑based leak site and threatened to release the information publicly if the Council of Europe did not initiate contact by June 16 2026 to begin negotiations.
In response to a SecurityWeek inquiry, the Council of Europe said it was investigating the matter and assessing the situation, offering no further comment at that time. The organization, founded in 1949 and comprising 46 member states including 27 European Union countries, noted its status as a leading human rights body and an official United Nations observer. No additional details about internal detection, containment measures, or remediation efforts were provided in the source material. The threat deadline passed without any public indication of whether the Council engaged with the extortion group or whether the data were subsequently released.
ShinyHunters has been linked to a series of high‑profile intrusions since mid‑2025, primarily targeting Salesforce customers such as Carnival, Canvas, Grafana, CarGurus, and Panera Bread. Separately, Google confirmed that a new ShinyHunters campaign exploited a zero‑day vulnerability in Oracle PeopleSoft, an attack that likely affected approximately 100 organizations. These contextual points describe the group’s recent activity but do not alter the factual account of the claimed Council of Europe breach as presented in the source article.