The Council of Europe has confirmed it is investigating a major data breach after the cybercriminal group ShinyHunters published roughly 297GB of sensitive employee data following the expiration of a ransom deadline. The leaked archive contains records on more than 10,000 current and former employees, contractors, and job applicants, spanning documents dating back 15 years. Founded in 1949 and representing 46 member states, the Council is one of Europe's foremost human rights bodies, making the exposure of its internal personnel data particularly consequential.
What Happened
ShinyHunters exfiltrated data from multiple Council departments, including human resources and administrative units, reportedly obtaining more than 429,000 files. When the Council declined to meet the group's ransom demand, ShinyHunters made good on its extortion threat and released the full dataset publicly. This ranks as one of the largest breaches of personal data ever recorded against an intergovernmental organization in Europe.
Rather than relying on a single leak site that could be taken down, ShinyHunters escalated its strategy after the refusal to pay. The group announced it would permanently distribute the stolen datasets across multiple mirror sites and torrent networks, deliberately hardening the leak against future takedown efforts and ensuring long-term availability of the data.
What Was Taken
The compromised archive is both large and deeply sensitive. Exposed records reportedly include:
- Payroll records and salary histories
- Bank account information
- Medical information
- Tax and social security data
- Complete personnel files
- Thousands of CVs from current staff, former employees, and applicants
Because the dataset combines financial, medical, and identity information at scale, the downstream risk is severe. Victims face heightened exposure to identity theft, financial fraud, and highly targeted phishing and social engineering campaigns that draw on the internal detail contained in the leaked files.
Why It Matters
An intergovernmental human rights organization holding data on staff, contractors, and applicants is a high-value target, and the depth of this compromise underscores that no institution is immune. The 15-year data retention window meant even people who left the organization long ago are now exposed, illustrating how legacy data becomes long-term liability when it is not minimized or purged.
The shift to torrents and mirror distribution is a strategic signal for defenders. Extortion groups increasingly treat takedown resistance as a core part of their playbook, meaning breached data is now effectively permanent and cannot be walled off after the fact. For any organization negotiating with an actor like ShinyHunters, this reframes the calculation: refusal to pay does not contain the damage, and paying offers no guarantee against later release.
The Attack Technique
The breach has been tied to CVE-2026-35273, a critical 9.8-severity zero-day vulnerability in Oracle PeopleSoft's Environment Management Hub (PSEMHUB). According to security researchers, the flaw allowed attackers to execute arbitrary code remotely without authentication. Google's Mandiant team reported that more than 100 organizations were actively exploited through this vulnerability before Oracle released security guidance.
ShinyHunters chained the zero-day with older, known vulnerabilities to establish persistent access, then moved laterally through compromised environments while impersonating legitimate users to avoid raising alarms. The exploitation window ran from May 27 to June 9, 2026, before mitigations were available, giving the group ample time to identify and exfiltrate high-value data across multiple departments.
What Organizations Should Do
- Patch Oracle PeopleSoft immediately and prioritize CVE-2026-35273, applying Oracle's security guidance to PSEMHUB and any internet-facing components.
- Hunt for compromise between late May and mid-June 2026, reviewing logs for anomalous PeopleSoft activity, unexpected code execution, and lateral movement consistent with impersonated user sessions.
- Enforce least privilege and network segmentation so a single exploited application cannot provide a path to HR, payroll, and administrative data stores.
- Minimize and purge legacy data, retiring records for former employees and applicants that no longer serve a business or legal purpose.
- Prepare for permanent leaks by assuming exfiltrated data cannot be recovered or suppressed, and build incident response and victim notification plans around that reality.
- Notify and protect affected individuals with credit monitoring, targeted phishing awareness, and guidance on fraud alerts given the financial and medical nature of the exposed data.
TWEET: Council of Europe breached by ShinyHunters. 297GB and 10,000+ employee records leaked after ransom refused. Full breakdown: https://wasteland.me/intel/council-of-europe-shinyhunters-breach #CyberSecurity #ThreatIntel