ShinyHunters Claims Breach of Council of Europe, Threatens to Leak 300 GB of Data
The ShinyHunters extortion group claims to have breached the Council of Europe, stealing nearly 300 GB of data including payroll records for over 10,000 employees and threatening public release if ransom demands are not met.
The notorious extortion group ShinyHunters has claimed responsibility for hacking the Council of Europe, Europe's leading human rights organization and a United Nations observer with 46 member states. On Sunday, the group added the Council to its Tor-based leak site, threatening to release more than 297 GB of data allegedly stolen from the organization's network unless the Council contacts them by June 16 to begin negotiations.
The stolen data, according to ShinyHunters, includes over 429,000 files spanning multiple departments, including HR, Secretariat, Parliamentary Assembly, and the European Directorate for the Quality of Medicines & HealthCare. The files allegedly contain payroll data for more than 10,000 Council employees from 2011 to 2026, over 14,000 CVs, contract and purchase order records, absence and illness reports, bank account information, performance evaluations, and payroll exports. Additionally, the group claims the data includes employee names, IDs, addresses, phone numbers, dates of birth, tax and social security information, and medical records.
The Council of Europe has not yet publicly acknowledged the incident. SecurityWeek has reached out to the organization for comment but has not received a response as of publication. The lack of acknowledgment leaves the veracity of ShinyHunters' claims unconfirmed, though the group's track record lends credibility to the threat.
ShinyHunters has been linked to multiple high-profile intrusions since mid-2025, primarily targeting Salesforce customers, including Carnival, Canvas, Grafana, CarGurus, and Panera Bread. Last week, Google confirmed that a new ShinyHunters campaign exploited a zero-day vulnerability in Oracle PeopleSoft, likely impacting over 100 organizations. This pattern of targeting diverse, high-value organizations underscores the group's sophistication and reach.
The breach of a major intergovernmental organization like the Council of Europe is particularly concerning given the sensitivity of the data involved. Payroll records, medical information, and personal identifiers for thousands of employees could be used for identity theft, phishing, or other malicious activities. The threat of public release adds an extortionary pressure that could have significant diplomatic and operational repercussions.
Security experts advise organizations to monitor for any leaked data and to prepare for potential phishing campaigns targeting Council employees or affiliates. The incident also highlights the ongoing threat posed by extortion groups that combine data theft with public shaming tactics, a trend that has become increasingly common in the cybercriminal landscape.
As the June 16 deadline approaches, the cybersecurity community will be watching closely to see if the Council of Europe engages with the attackers or if the data is released. Either outcome will have implications for how similar institutions approach their cybersecurity posture and incident response protocols.