The Council of Europe has become the latest organization caught in ShinyHunters' sprawling Oracle PeopleSoft extortion campaign, with the crew claiming to have stolen more than 297 GB of data spanning some 429,000 files. The Council confirmed to The Register that it is "currently investigating the matter and assessing the situation," adding the intergovernmental body to a victim list that ShinyHunters says exceeds 100 organizations across 300 vulnerable PeopleSoft instances.
What Happened
ShinyHunters listed the Council of Europe on its data-leak site, claiming the haul as part of an ongoing campaign that abuses a zero-day flaw in Oracle PeopleSoft, tracked as CVE-2026-35273. A spokesperson for the cybercrime group told The Register that the Council is "yet another victim" of the PeopleSoft heist. Oracle has not responded to inquiries, and it remains unclear whether the vulnerability has been patched. The Council acknowledged the incident but declined to comment beyond confirming an active investigation.
The breach is not an isolated event. ShinyHunters previously stated it exploited the same CVE to compromise more than 100 organizations, including the University of Nottingham, which had data on roughly 454,600 current and former students dumped on the leak site last week.
What Was Taken
According to the gang's leak-site post, the 429,000 stolen files contain an unusually sensitive cross-section of personnel data:
- HR and payroll records
- Payslips and salary information
- Purchase-order records
- CVs
- Banking and tax details
- Medical records
The combination of financial, identity, and health data makes this haul especially damaging for affected staff, opening the door to targeted fraud, identity theft, and follow-on extortion against individuals.
Why It Matters
This breach demonstrates that the PeopleSoft campaign has graduated from universities and ed-tech providers to a high-profile intergovernmental institution. A Google threat report covering activity from May 27 to June 9 flagged behavior "consistent with the exploitation of CVE-2026-35273" and noted that responders notified more than 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints. Most were US-based, and 68 percent operated in higher education.
The Council of Europe's inclusion signals that any organization running internet-facing PeopleSoft is in scope, regardless of sector or geography. It also fits ShinyHunters' established playbook of mass exploitation followed by extortion, a model that has already paid off: ed-tech giant Instructure reached an agreement, widely read as paying the ransom, after the crew breached its Canvas platform and accessed data tied to 275 million students, teachers, and staff in mid-May.
The Attack Technique
ShinyHunters claims the intrusions stem from a zero-day vulnerability in Oracle PeopleSoft, CVE-2026-35273, exploited at scale across roughly 300 vulnerable instances. The attackers appear to be scanning for internet-exposed PeopleSoft endpoints, exploiting the flaw to gain access, and bulk-exfiltrating HR and payroll datasets before listing victims for extortion. The campaign mirrors the group's earlier Salesforce-related intrusion wave, including the March theft from K-12 provider Infinite Campus, where ShinyHunters leaned on a single widely deployed enterprise platform to multiply its reach.
What Organizations Should Do
- Inventory all Oracle PeopleSoft deployments immediately, with particular attention to internet-facing instances and HR/payroll modules.
- Apply Oracle's patches for CVE-2026-35273 as soon as they are available, and subscribe to Oracle security advisories for status updates.
- Restrict external exposure of PeopleSoft portals using VPNs, IP allowlisting, or web application firewalls until patching is confirmed.
- Hunt for indicators of compromise across the May 27 to June 9 window and beyond, correlating with the Google threat report findings.
- Review logs for anomalous bulk data access and exfiltration from HR and payroll systems.
- Prepare breach notification and incident response plans now, given the sensitivity of payroll, banking, tax, and medical records at risk.
Sources: Council of Europe hacked in ShinyHunters' PeopleSoft heist