More than 429,000 documents may have been stolen from the Council of Europe, according to claims by the ShinyHunters extortion group, putting a possible Council of Europe ShinyHunters data breach under urgent review.
CybersecurityJune 15, 2026· 5 min read· By XOOMAR Insights Team
ShinyHunters Breach Claim Jolts Council of Europe
Updated on June 15, 2026
XOOMAR Intelligence
Analyst Take
60/ 100
4 sources analyzedLow confidenceTrend20Freshness94Source Trust88Factual Grounding92Signal Cluster20
The Council of Europe told BleepingComputer it is investigating the claims but has not confirmed that its systems were breached or that any stolen data is authentic. That distinction matters. Right now, this is an extortion claim under investigation, not a verified breach.
"We are currently investigating the matter and assessing the situation. We have no further comment to make at this stage," the Council said.
Council of Europe probes ShinyHunters breach claim after weekend extortion post
The Council of Europe, described by BleepingComputer as the continent's oldest intergovernmental body, represents 46 European member states and a population of more than 700 million people. Its work centers on human rights, democracy, and the rule of law.
ShinyHunters posted the claim on its dark web leak site over the weekend. The group alleged it had taken HR and payroll material from multiple Council of Europe departments and threatened to leak the files on Tuesday if the organization did not respond by 16 June 2026.
The group claimed the haul includes:
- 409,000+ payslips: Covering 10,000+ staff from 2011 to 2026
- 3,700+ in-house personnel files: Allegedly tied to internal employee records
- 14,000+ CVs: Potentially exposing recruitment and professional history data
- Other files: Claimed to include personal, financial, tax, social security, and medical information
SecurityWeek separately reported that ShinyHunters claimed the alleged dataset totals more than 297 GB and spans departments including HR, Secretariat, Parliamentary Assembly, and the European Directorate for the Quality of Medicines & HealthCare.
None of that has been publicly verified by the Council of Europe. The only confirmed fact from the organization is that it is investigating and assessing the situation.
ShinyHunters claim raises pressure to verify payroll and HR data
The pressure point in the alleged Council of Europe ShinyHunters data breach is not just file volume. It is the type of information ShinyHunters says it has.
If the files are authentic, payslips, personnel records, CVs, bank account details, tax data, social security information, and medical records would create immediate privacy and fraud risks for affected individuals. HR data is useful to criminals because it combines identity, employment, financial, and internal organizational context in one place.
ShinyHunters also claimed the stolen material includes names, dates of birth, home addresses, phone numbers, employee IDs, salaries, and bank details. That would make the alleged cache valuable for targeted phishing and impersonation if confirmed.
But extortion groups have every incentive to inflate claims. They can exaggerate file counts, mix old and current data, recycle third-party records, or present partial access as full compromise. Investigators will need to test whether the files are real Council of Europe material, whether they are current, and whether they came from internal systems.
ShinyHunters has a history of public leak pressure campaigns. BleepingComputer reported that the group has claimed attacks against Salesforce customers, alleging more than 1.5 billion records stolen in breaches affecting hundreds of companies and organizations through Salesforce Aura and Salesloft Drift campaigns.
The group was also linked to attacks against over a dozen Snowflake customers and other third-party integration providers. More recently, it claimed responsibility for a data theft campaign tied to a zero-day vulnerability in Oracle PeopleSoft. For related XOOMAR coverage of that thread, see No Patch Yet as PeopleSoft Zero-Day Opens RCE Door and 100 Firms Hit as Oracle Leaves PeopleSoft Unpatched.
Investigators now have to separate proof from pressure
The Council's immediate task is verification. That means checking whether ShinyHunters has authentic samples, matching document metadata and timestamps, reviewing access logs, and identifying whether any employee accounts, HR systems, payroll exports, endpoints, or cloud services were accessed.
The hardest question is source. A real-looking file does not automatically prove a fresh breach of the Council of Europe network. It could be current internal data, old archived material, third-party data, fabricated material, or files obtained through another compromise.
That is why public confirmation may take time. A rushed statement could understate exposure or validate an attacker narrative before the evidence supports it.
A practical comparison:
| Claim area | ShinyHunters says | Confirmed by Council of Europe |
|---|---|---|
| Documents stolen | 429,000+ | No |
| Payslips | 409,000+ | No |
| Staff affected | 10,000+ | No |
| CVs | 14,000+ | No |
| Investigation underway | Not applicable | Yes |
| Public breach confirmation | Claimed by attacker | No |
The strongest signal so far is the Council's acknowledgement that it is investigating. The weakest signal is the attacker's own deadline, because leak-site countdowns are part of the pressure tactic.
The next signal is whether ShinyHunters leaks samples or the Council confirms exposure
The next phase of the Council of Europe ShinyHunters data breach story will turn on evidence. Readers should watch for a formal Council incident statement, confirmation that personal data was exposed, visible leak activity from ShinyHunters, service disruptions, password reset notices, or law enforcement involvement.
If the Council confirms exposure, the focus shifts to affected people and the exact data fields involved. If investigators find the claim is exaggerated or based on stale material, the incident still shows how quickly a leak-site post can force a major institution into public incident-response mode.
For now, the responsible reading is narrow: ShinyHunters claims a large Council of Europe data theft, the Council is investigating, and no public confirmation of a breach has been issued. The watch item is whether the attacker produces verifiable data or the Council confirms that internal systems were accessed.
Impact Analysis
- The claims involve sensitive HR, payroll, tax, social security, and medical data that could expose employees to fraud or harassment.
- The Council of Europe has not verified the breach, so readers should distinguish confirmed facts from extortion-group allegations.
- If authentic, the alleged theft could affect staff across a major European human rights and democracy institution.
Claimed Council of Europe Data Types
Payslips
documents409,000
Personnel files
documents3,700
CVs
documents14,000
Sources
- [1] BleepingComputer
- [2] ShinyHunters Claims Council of Europe Hack
- [3] ShinyHunters Allegedly Leak Massive 297GB HR Breach from the Council of Europe, Payroll and CV Data Exposed in Devastating Cyber Claims Dark Web recent claims + Video - UNDERCODE NEWS
- [4] Council of Europe investigates ShinyHunters data breach claims - Live Threat Intelligence - Threat Radar | OffSeq.com
Written by
XOOMAR Insights Team
Research and Editorial Desk
The XOOMAR Insights Team pairs automated research with human editorial judgment. We track hundreds of sources across technology, fintech, trading, SaaS, and cybersecurity, cross-check the facts, and explain what happened, why it matters, and what to watch next. We do not just rewrite headlines. Every article is fact-checked and scored for reliability before it goes live, and we link back to the original sources so you can verify anything yourself.
Explore More Topics
Related Articles
CybersecurityCoupang Data Breach Slams Board With Record $400M Fine
South Korea's record fine turns Coupang's massive breach into a costly warning for data-hungry platforms.
Jun 12, 20268 min
CybersecurityKorea Slams Coupang With Record $409M Data Breach Fine
South Korea fined Coupang $409M after data tied to 37.55M people leaked, turning weak privacy controls into a boardroom crisis.
Jun 11, 20269 min
Cybersecurity100 Firms Hit as Oracle Leaves PeopleSoft Unpatched
ShinyHunters says it breached 100+ firms using an unpatched Oracle PeopleSoft flaw, leaving customers to mitigate before a fix arrives.
Jun 11, 20268 min
CybersecurityNo Patch Yet as PeopleSoft Zero-Day Opens RCE Door
Oracle issued mitigations for a 9.8 PeopleSoft zero-day tied to ShinyHunters data theft, but a full patch is still pending.
Jun 11, 20265 min
CybersecurityRecord $412M Fine Hammers Coupang After 34M Data Breach
$412M fine turns Coupang’s breach into a warning: privacy failures at national scale now carry national-scale penalties.
Jun 11, 20267 min
FintechScammers Push UK APP Fraud to £576M as Banks Lose Grip
UK APP fraud losses hit £576.4M as scammers exploit platforms and phones before banks can intervene.
Jun 15, 20267 min
TechnologyWayfair AI Scrubs 2.5M Bad Product Listings at Scale
Wayfair used AI to fix 2.5 million bad product tags, turning catalog accuracy into a weapon for search, recommendations, and returns.
Jun 15, 20268 min
Global TrendsTrump Iran Ceasefire Traps Netanyahu Before Election
Trump’s Iran ceasefire turns Netanyahu’s security pitch into a political trap before Israel’s next election.
Jun 15, 20268 min
Technology$22 Billion Fox Roku Deal Puts TV's Gatekeeper in Play
Fox's $22B Roku bid could make it TV's No. 3 player. The real fight is whether Roku can stay neutral under Fox.
Jun 15, 20266 min
SaaS & ToolsZappy Award Winners Expose Automation's New Power Base
Zapier's first 2026 Zappy Award winners show automation shifting from IT projects to frontline fixes at Articulate and Redis.
Jun 15, 20268 min
Don't miss the signal
Get our weekly roundup of the stories that matter across tech, fintech, and trading. No noise, just signal.
Free forever. No spam. Unsubscribe anytime.