Skip to content
Cyber Breaches
Search
Data breachOngoing

ShinyHunters claims theft of 297GB of Council of Europe payroll and HR data via Oracle PeopleSoft zero-day

The extortion group ShinyHunters claimed it stole roughly 297GB of payroll, HR and financial records belonging to more than 10,000 current and former Council of Europe staff by exploiting the Oracle PeopleSoft zero-day CVE-2026-35273, prompting the intergovernmental body to investigate.

Victim
Council of Europe
SectorGovernment
CountryFrance
Threat actorShinyHuntersUNC6240
CVECVE-2026-35273

On 14 June 2026, the extortion crew ShinyHunters publicly claimed to have stolen roughly 297GB of data from the Council of Europe β€” the continent's oldest intergovernmental body, based in Strasbourg and best known for the European Convention on Human Rights and the European Court of Human Rights. The group threatened to leak the trove, setting a deadline of 16 June 2026, and the Council said it was investigating the claims.

What happened

According to ShinyHunters' own statements, the haul spans about 429,000 files with records dating from 2011 to 2026, including roughly 409,000 payslips, 14,000 CVs and 3,700 internal HR documents. The attackers say the payroll and human-resources data covers more than 10,000 current and former employees, contractors and job applicants across multiple Council entities β€” the Secretariat, the Human Resources Directorate, the Parliamentary Assembly and the European Directorate for the Quality of Medicines (EDQM) β€” and includes salary details, bank account information, tax and social security records, and personal identifiers such as names, addresses and contact details.

The intrusion is tied to CVE-2026-35273, a critical (CVSS 9.8) unauthenticated remote-code-execution flaw in Oracle PeopleSoft PeopleTools. ShinyHunters exploited the bug as a zero-day β€” activity observed between roughly 27 May and 9 June 2026, before Oracle's 10 June emergency advisory β€” to compromise more than 100 organisations running vulnerable PeopleSoft instances, many of them universities. The Council of Europe is among the most prominent victims to surface in that campaign.

Why it matters

The figures here are attacker claims and, at the time of disclosure, the Council had not confirmed what, if anything, was taken. Even so, payroll and HR datasets of this kind β€” bank details, tax and social security numbers, salaries and CVs spanning more than a decade β€” are precisely the material that fuels identity theft, fraud and follow-on phishing, and their exposure at an institution that handles sensitive human-rights and diplomatic work carries heightened risk. The case also underscores how a single PeopleSoft zero-day let one crew pivot from mass university breaches to a marquee European intergovernmental target.

Timeline

  1. Start of the exploitation window later attributed to abuse of the Oracle PeopleSoft PeopleTools zero-day CVE-2026-35273, predating Oracle's advisory.

  2. Oracle releases an emergency out-of-band security alert for CVE-2026-35273 after the flaw is exploited as a zero-day across more than 100 organisations.

  3. ShinyHunters publicly claims the theft of roughly 297GB of Council of Europe data and threatens to leak it; the Council says it is investigating the claims.

Sources

  1. theregister.comhttps://www.theregister.com/cyber-crime/2026/06/15/council-of-europe-hacked-in-shinyhunters-peoplesoft-heist/5255757
  2. bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/council-of-europe-investigates-shinyhunters-data-breach-claims/
  3. cybernews.comhttps://cybernews.com/security/council-of-europe-data-breach-claim/
  4. securityweek.comhttps://www.securityweek.com/shinyhunters-claims-council-of-europe-hack/
  5. sqmagazine.co.ukhttps://sqmagazine.co.uk/shinyhunters-council-of-europe-data-breach/

Related incidents