The Council of Europe — the 46-nation human-rights body in Strasbourg, not to be confused with the EU’s institutions — has become the latest name on ShinyHunters’ extortion portal. The group claims it stole a vast trove of human-resources and payroll data and has set a hard deadline: contact us by June 16, 2026, or the files go public.

For now, the Council is saying almost nothing. “We are currently investigating the matter and assessing the situation,” it told reporters. “We have no further comment to make at this stage.” That is the careful language of an organization that has not yet confirmed — or cannot yet confirm — that the data is real. Everything that follows is ShinyHunters’ claim, and it should be read that way until the Council says otherwise.

What the group says it took

The numbers ShinyHunters is advertising are large and specific. The group claims roughly 297GB of data across more than 429,000 files, including:

  • 409,000+ payslips spanning 2011 to 2026
  • 14,000+ CVs and resumes
  • ~3,700 internal HR and personnel files
  • purchase orders, contracts, performance evaluations, absence reports, and illness and medical records

The data types listed read like a complete employee dossier: names, dates of birth, home addresses, phone numbers, employee IDs, salaries, bank account details, tax and social-security information, and medical records. ShinyHunters says the payroll records alone cover more than 10,000 current and former employees, contractors, and job applicants, and that the haul touches the Secretariat, the Human Resources Directorate, the Parliamentary Assembly, and the European Directorate for the Quality of Medicines & HealthCare (EDQM), along with payroll, conference, interpretation, and linguistic services.

The leak post ends with the now-familiar squeeze: “This is a final warning to reach out by 16 June 2026 before we leak.” This is double extortion stripped to its essentials — there is no encryption here, just the threat of publication and a clock.

The PeopleSoft connection

ShinyHunters ties the intrusion to its exploitation of CVE-2026-35273, the critical (CVSS 9.8) unauthenticated remote-code-execution flaw in Oracle PeopleSoft that the group has been weaponizing across Europe. We covered that campaign when Google and Mandiant confirmed ShinyHunters was exploiting the PeopleSoft zero-day against universities, with Google notifying more than 100 organizations that had internet-facing PeopleSoft systems exposed during the May 27 to June 9 attack window.

One important caveat: the Council has not confirmed PeopleSoft was its entry point. The vector comes from ShinyHunters’ own claim and the circumstantial timing. It is plausible — the dates line up with the broader campaign — but it is not verified. Note also that this is a different campaign from the Salesforce data-theft wave the group is running in parallel; do not conflate the two.

A pattern, not an isolated hit

If the claim holds, the Council of Europe slots neatly into one of the most aggressive extortion runs of 2026. The same PeopleSoft spree has already produced confirmed and claimed victims across higher education — roughly 68% of identified targets sat in the university sector — including the University of Nottingham, where a criminal probe opened after passports and bank details of some 454,600 students leaked.

ShinyHunters has spent years industrializing this exact playbook, evolving from a Pokémon-inspired crew into one of the most prolific breach-and-extortion operations on the planet. The targeting of an intergovernmental human-rights institution — and the specific theft of medical and personnel records — is a reminder that the group treats sensitivity as leverage, not as a line it won’t cross.

What to watch

The immediate tell is the June 16 deadline. If ShinyHunters publishes, the data becomes verifiable and the Council’s “investigating” posture will have to give way to a confirmed-breach response — notifications, regulatory engagement, and the long tail of identity-fraud exposure for thousands of staff whose bank details and medical records would now be in the open. If the deadline passes quietly, it may signal a negotiation, a bluff, or a claim that did not survive contact with reality.

For the 10,000-plus people whose payslips and personnel files are allegedly in the archive, the practical advice is the same as any major breach: treat the data as exposed, watch bank accounts, and expect targeted phishing built from real internal details.

Sources