Council of Europe Data Breach: ShinyHunters Steals 297GB of Files

In a stunning escalation of global cyber warfare targeting critical intergovernmental institutions, the notorious cybercrime and extortion collective known as ShinyHunters has claimed responsibility for a massive cyberattack against the Council of Europe. Serving as the continent’s oldest and most prominent intergovernmental human rights body—representing 46 member states and overseeing the protection of democracy for over 700 million citizens—the Council now finds itself navigating a high-stakes emergency. This catastrophic Council of Europe data breach, which came to light on June 15, 2026, reportedly resulted in the exfiltration of 297 gigabytes of highly sensitive internal administrative and payroll data. As the threat actors issue a high-pressure “final warning” to force negotiations before publishing the stolen archives, cybersecurity experts and state actors alike are scrambling to contain the damage of a breach that threatens not only financial safety but the operational integrity of European diplomacy itself.

Inside the Council of Europe Data Breach: The Stolen Trove

On Sunday, June 14, 2026, ShinyHunters updated their Tor-based dark web leak site to list the Council of Europe as their latest victim, sending shockwaves through the cybersecurity community. The group boasts that they bypassed the Council’s internal networks to successfully exfiltrate more than 429,000 files originating from core organizational divisions. Unlike typical ransomware campaigns that disrupt operations by encrypting local systems, this is a pure-play data theft and double-extortion operation designed to leverage highly confidential employee and administrative datasets.

According to security analysts reviewing the threat actors’ claims, the compromised information spans multiple vital departments within the Council. These include the Directorate of Human Resources, the Secretariat, the Parliamentary Assembly, the European Directorate for the Quality of Medicines & HealthCare (EDQM), and the overarching payroll administration. The stolen data represents a near-complete digital mapping of the organization’s personnel history, operations, and financial workflows over the last decade and a half.

The compromised repository contains highly damaging and structured personal files, including:

• Over 409,000 employee payslips: Spanning a fifteen-year period from 2011 to 2026, these documents expose the payroll data of more than 10,000 staff members, including permanent civil servants, temporary contractors, external consultants, and language booth operators.
• Upwards of 14,000 CVs and 3,700 personnel files: These files contain detailed career histories, educational backgrounds, in-house performance evaluations, and personal references for both current employees and prospective candidates.
• Over 10,700 per-employee document stores: Deeply granular administrative folders containing contracts, purchase orders, identity documents, and personal records.
• Sensitive Financial and Tax Records: Direct bank account routing details (including IBANs), salary structures, tax declarations, and social security filings.
• Private Medical Data: Detailed internal logs and absence sheets containing highly personal health information, medical leave approvals, and documentation regarding employee illnesses.

The threat actors have explicitly designated June 16, 2026, as the “final warning” deadline for the Council of Europe to establish contact and negotiate a settlement. Should the intergovernmental body refuse to comply, ShinyHunters has threatened to leak the entire 297GB dataset publicly, while simultaneously unleashing targeted digital disruptions against the organization’s remaining networks. While the Council of Europe’s media department has officially confirmed that they are actively investigating the situation and assessing the security breach, they have refrained from releasing technical specifics or indicating whether they intend to engage with the extortionists.

Technical Exploitation: The CVE-2026-35273 Zero-Day Exploit

While the Council of Europe has been tight-lipped regarding the initial access vector, independent cybersecurity investigations have tied this incident directly to a broader, highly coordinated campaign targeting Oracle PeopleSoft enterprise software. Intelligence reports published by Mandiant and Google’s Threat Intelligence Group confirm that throughout late May and early June 2026, ShinyHunters has been actively exploiting a critical, unpatched zero-day vulnerability tracked as CVE-2026-35273.

Carrying a maximum-severity CVSS score of 9.8 out of 10, CVE-2026-35273 is an unauthenticated Remote Code Execution (RCE) flaw residing within the PeopleSoft Environment Management Hub (PSEMHUB) component. The technical mechanics of the exploit are both sophisticated and devastatingly efficient:

1. Reconnaissance and Automation: ShinyHunters deployed automated scanning scripts designed to identify internet-exposed PeopleSoft instances globally. These scripts prioritized platforms running vulnerable versions of PeopleSoft PeopleTools (specifically versions 8.61 and 8.62).
2. Unauthenticated Entry: By exploiting the PSEMHUB defect, the attackers were able to bypass standard authentication barriers entirely, enabling them to execute arbitrary administrative commands on the targeted application tier without requiring a username or password.
3. Command-and-Control (C2) Establishment: Once entry was secured, the threat actors deployed customized MeshCentral agents. To evade traditional endpoint detection and response (EDR) solutions, these malicious agents were disguised as legitimate Microsoft Azure services.
4. Lateral Movement and Credential Harvesting: Utilizing Python-based staging environments and localized lateral movement scripts, ShinyHunters executed target-specific credential spraying. They focused heavily on guessing or harvesting credentials for key default administrative accounts, including “psoft”, “oracle”, and “linuxadm”.
5. Silent Data Exfiltration: With administrative control established, the attackers seamlessly navigated the internal environment, gaining access to the back-end database servers hosting the human resources and payroll modules, before staging and exfiltrating hundreds of gigabytes of data.

By weaponizing this zero-day vulnerability before Oracle could publish an emergency advisory on June 10, 2026, ShinyHunters successfully compromised more than 300 PeopleSoft instances across over 100 global organizations. The Council of Europe, relying heavily on PeopleSoft for its vast multinational workforce, fell victim to the automated, industrialized nature of this campaign.

ShinyHunters and the Rising SLH Threat Matrix

The compromise of the Council of Europe is merely the latest chapter in a hyper-aggressive 2025–2026 hacking spree executed by ShinyHunters. Historically known for high-profile data breaches dating back to 2020, the group has recently evolved. Modern threat intelligence monitors categorize ShinyHunters as a core operating cell of the broader SLH (Scattered Lapsus$ Hunters) collective. This syndicate represents a fusion of talent and playbooks from Scattered Spider, Lapsus$, and ShinyHunters, operating within the decentralized English-speaking cybercriminal underground colloquially known as “the Com”.

The SLH playbook is defined by rapid, automated exploitation of widely deployed enterprise applications. Rather than spending months inside a single network, these actors execute campaigns at stunning speeds. Industry reports indicate that the group can progress from initial network compromise to complete data exfiltration in under an hour. This speed outpaces the response times of even the most sophisticated internal security operations centers (SOCs).

Prior to hitting the Council of Europe, ShinyHunters’ 2026 campaigns targeted massive enterprise environments:

• The Salesforce Campaign: A single, sweeping operation targeting Salesforce customers that allegedly compromised over 1.5 billion records across more than 1,000 target organizations.
• The European Commission Breach: In March and April 2026, the group targeted the public cloud infrastructure supporting the europa.eu platform, proving that European intergovernmental bodies are actively in their crosshairs.
• Higher Education & Enterprise Raids: Alongside the Council of Europe, over 100 academic and enterprise institutions—including the University of Nottingham—were breached via the same Oracle PeopleSoft zero-day.

Geopolitical Risks and the Human Cost of Exposure

The ramifications of the Council of Europe data breach extend far beyond the typical financial damage associated with corporate hacks. The Council of Europe is a cornerstone of international human rights law. It is home to the European Court of Human Rights (ECHR), where individuals can sue member governments for human rights abuses. The organization employs diplomats, legal scholars, human rights advocates, and administrative staff who handle highly sensitive geopolitical matters.

By exposing 15 years of personnel records, medical logs, travel history, and exact financial data, ShinyHunters has effectively handed a goldmine of intelligence to adversarial nation-states and malicious actors alike. If published, this database could be weaponized in several ways:

1. Targeted Blackmail and Espionage: Detailed records of medical leave, absence reports, and financial overpayments provide perfect leverage for foreign intelligence services looking to recruit or coerce diplomatic staff and human rights observers.
2. Advanced Spear-Phishing: Using authentic 2026 salary scales, internal employee ID numbers, and direct supervisor names, threat actors can craft incredibly convincing social engineering campaigns. These can be used to inject malware further into European government networks.
3. Physical Security Threats: Human rights observers working in hostile environments rely on their home addresses, phone numbers, and travel schedules remaining confidential. Exposing these details puts lives at risk.
4. Systemic Financial Fraud: Stolen routing information, social security documents, and bank account details open the door to massive, automated identity theft and financial routing fraud across multiple European jurisdictions.

Immediate Incident Response and Enterprise Defenses

For the Council of Europe and the dozens of other institutions compromised in this campaign, immediate incident response is a critical priority. Security experts recommend that any organization currently utilizing Oracle PeopleSoft PeopleTools execute a series of high-priority security procedures:

• Apply Emergency Patches and Mitigations: Organizations must immediately apply the out-of-band mitigations and official patches issued by Oracle for CVE-2026-35273.
• Network Isolation: Restrict public internet exposure of the PeopleSoft Environment Management Hub (PSEMHUB) component, placing it behind a secure virtual private network (VPN) or enterprise firewall.
• Log and Indicator Auditing: Security teams should actively search internal application and system logs for connections originating from known ShinyHunters-controlled IP addresses, such as 142.11.200[.]186–190, 108.174.202[.]99, and 176.120.22[.]24.
• Credential Revocation: Force immediate password resets for all administrative accounts, particularly common default configurations (e.g., psoft, oracle, linuxadm), and mandate hardware-based multi-factor authentication (MFA) across all endpoints.

The Council of Europe’s silent struggle against ShinyHunters highlights a grim reality of the 2026 threat landscape: no institution, regardless of its humanitarian or diplomatic status, is immune to industrialized cyber extortion. As the June 16 deadline passes, the decisions made by the Council’s leadership will serve as a critical case study in how modern international organizations balance operational security, ethical boundaries, and the personal safety of their global workforces under the threat of digital exposure.