ShinyHunters Stole 15 Years of Council of Europe Payroll

The organization that monitors surveillance overreach across 46 nations just became a surveillance victim itself. ShinyHunters, the extortion group behind some of the most destructive data heists of the past two years, claims to have stolen 297GB of files from the Council of Europe's internal systems — 429,000 documents covering 15 years of payroll history, personnel files, CVs, bank account numbers, Social Security data, and medical records for more than 10,000 current and former staff. The group set a leak deadline of June 16, 2026. The Council of Europe says it is investigating.

Key Takeaways

• ShinyHunters claims to have exfiltrated 297GB from the Council of Europe, including 409,000+ payslips spanning 2011 to 2026.
• The stolen records allegedly include bank account details, Social Security numbers, and medical records for more than 10,000 employees, contractors, and job applicants.
• CVE-2026-35273, a 9.8-severity Oracle PeopleSoft zero-day, is the suspected entry point — ShinyHunters used it to breach more than 100 organizations before Oracle published a patch.
• The Council of Europe oversees human rights and data protection compliance for 700 million people across 46 European countries.

What Did ShinyHunters Actually Steal?

ShinyHunters claims the haul covers the Council of Europe's Secretariat, its Human Resources Directorate, the Parliamentary Assembly, and the European Directorate for the Quality of Medicines and HealthCare (EDQM). According to BleepingComputer's reporting, the data includes:

• Over 409,000 payslips from 2011 to 2026 — every salary movement, tax deduction, and bank transfer for anyone on payroll across 15 years
• 3,700 internal HR files — disciplinary records, performance reviews, contract terms
• 14,000+ CVs — full employment histories and references for applicants who never worked there
• Medical records for an undisclosed but substantial portion of the affected population
• Bank account details and Social Security numbers throughout

Payslips alone are a complete financial dossier: they reveal salary, pension contributions, tax liabilities, whether someone took unpaid leave, and the bank account where every payment landed. Combined with medical records and Social Security numbers, this is everything a sophisticated attacker needs to open credit lines, file fraudulent tax returns, or blackmail individuals.

How Did ShinyHunters Get In?

CVE-2026-35273 is a remote code execution flaw in Oracle PeopleSoft Enterprise PeopleTools rated 9.8 out of 10 on the CVSS scale. It requires no authentication and no user interaction — just network access over HTTP. Google's Mandiant team attributes the exploitation campaign to a cluster it tracks as UNC6240, with active exploitation documented between May 27 and June 9, 2026. Oracle did not publish its advisory until June 10, meaning the vulnerability was a zero-day for the entire window of the campaign.

The Council of Europe has not confirmed that CVE-2026-35273 was the entry point, but the timeline fits. ShinyHunters leveraged the same vulnerability against more than 100 organizations in a matter of weeks, targeting universities, government bodies, and large enterprises running PeopleSoft for HR and payroll management. Once inside, the group deployed a customized version of MeshCentral, an open source remote monitoring tool disguised as Microsoft Azure services, to maintain persistent access before exfiltrating data.

Why Is the Council of Europe Breach Different?

Three previous ShinyHunters campaigns — the Snowflake client wave in 2024, the Salesforce credential thefts in 2025, and the Oracle PeopleSoft sweep in May 2026 — targeted commercial organizations. Damaging, but bounded. This breach hits differently.

The Council of Europe is the body that drafts the European Convention on Human Rights, monitors member states' compliance with privacy law, and produced Convention 108+, the only binding international treaty on data protection. Its staff work on cases involving surveillance abuse, government overreach, and the rights of dissidents in authoritarian states. A full HR database covering everyone employed there since 2011 is not just a payroll leak — it is a map of who has handled sensitive human rights cases, who has traveled to which member states, and who might be pressured.

For compliance officers at organizations with staff in any of the 46 member nations: the Council of Europe's breach is a concrete demonstration that even the institutions responsible for setting data protection standards have failed to meet them. The CISA staffing crisis documented this week raises a parallel question for US institutions — when the agencies meant to defend critical infrastructure are themselves undermanned and under attack, who is left holding the line?

What Does This Data Enable?

Payslips plus bank account numbers plus Social Security data is the identity theft trifecta. Attackers can open credit accounts in victims' names with a level of detail that defeats most verification checks, file tax refund fraud using accurate income history, and target specific individuals with spear phishing — "We're following up on your March 2023 salary discrepancy" — with enough authentic detail to be convincing. The CVs and personnel files extend the attack surface to people who applied for jobs and were never hired.

Why Email Users Should Care

Data breaches of this kind do not stay contained to the organization breached. Stolen HR records are routinely packaged and sold on criminal forums, where they become the raw material for email based attacks weeks or months later. A former Council of Europe employee who receives an email referencing their 2019 salary figure or a specific contract renewal date has no obvious reason to suspect it is fraudulent — the detail is too accurate.

The ServiceNow zero-auth breach followed exactly this pattern: data exfiltrated from enterprise systems was almost immediately weaponized in targeted email campaigns against affected organizations' employees. The Council of Europe breach, with its 15 years of payroll history and medical records, offers attackers an unusually rich targeting dataset for exactly this kind of attack. Anyone who has ever worked for or applied to the Council of Europe should treat unsolicited emails referencing employment history, payroll, or HR matters as suspect — regardless of how accurate the details appear.

What Happens Next?

The Council of Europe has confirmed it is investigating and has not verified the breach. ShinyHunters' June 16 leak deadline has passed; as of this writing, it is not publicly confirmed whether data was published or whether any settlement was reached. SecurityWeek's coverage notes that the group has a history of following through on publication threats when demands go unmet.

Organizations still running unpatched Oracle PeopleSoft instances should treat CVE-2026-35273 as actively exploited and apply Oracle's June 10 advisory immediately. The deeper irony is architectural rather than political. The Council of Europe's mandate includes holding governments accountable for how they handle citizen data. Its own HR infrastructure was apparently running enterprise software with a network accessible, unauthenticated remote code execution vulnerability — the kind of flaw that compliance frameworks exist to prevent. The gap between what privacy regulators demand of others and what they practice internally has rarely been illustrated so starkly.