"We are currently investigating the matter and assessing the situation. We have no further comment to make at this stage," the Council of Europe's media department told BleepingComputer.
Council of Europe confirms an active probe
The Council of Europe, the continent's oldest intergovernmental body, says it is looking into claims by the ShinyHunters extortion group that sensitive internal documents were stolen. The organization represents 46 European member states and a population of over 700 million people and describes its mission as promoting democracy and the rule of law across Europe and beyond. Asked to confirm the gang's assertions, the media department told BleepingComputer only that the matter is under investigation and declined further comment.
ShinyHunters' claimed haul: 429,000 documents and detailed payroll records
On its dark web leak site over the weekend, ShinyHunters posted what it said were files taken from multiple Council of Europe departments. The group claimed more than 429,000 documents in total, including over 409,000 payslips spanning 2011 to 2026 and covering "10,000+ staff." The post also listed more than 3,700 in‑house personnel files, more than 14,000 CVs, and “other files.”
The extortion group said the alleged files contain a wide array of personal and financial data: names, dates of birth, home addresses, phone numbers, employee IDs, salaries, bank account details, tax and Social Security information, medical records, and more.
Extortion timing: a hard deadline and threats of disruption
ShinyHunters warned the Council to make contact by 16 June 2026, saying, "This is a final warning to reach out by 16 June 2026 before we leak along with several annoying (digital) problems that'll come your way." The group threatened to publish the allegedly exfiltrated files on the following Tuesday if the deadline passed without contact.
ShinyHunters' recent campaign history cited in the claims
The group's post referenced a string of other alleged operations over the past year. According to the same posting, ShinyHunters has claimed attacks affecting Salesforce customers that resulted in more than 1.5 billion stolen records in campaigns described as targeting Salesforce Aura and Salesloft Drift integrations. The group has also been linked in the post to attacks on "over a dozen Snowflake customers and other third‑party integration providers."
Separately, the extortion group claimed responsibility last week for a campaign that exploited a zero‑day vulnerability in Oracle's PeopleSoft enterprise business software suite, saying that attack led to breaches at over 100 organizations, including the University of Nottingham, according to the public posting.
What this means for Council staff, security teams, and policymakers
- Council staff: The items listed by ShinyHunters—payslips, personnel files, CVs and medical records—if authentic, represent the kind of personal and financial data that could directly affect employees whose names, bank account details and tax identifiers are included in the claimed set.
- Security teams and technologists: The posting points to a pattern of campaigns and third‑party exploitation, including claimed use of a PeopleSoft zero‑day and attacks on cloud integrations. Those claims, together with the size of the alleged haul, will focus attention on detection and incident response for integrations, HR systems and payroll data.
- Policymakers and regulators: That the target identified is a pan‑European human rights organization representing 46 member states raises cross‑border privacy and legal questions about data protection, disclosure obligations and coordination between jurisdictions if the claim is substantiated.
The Council's investigation, the extortion group's posted deadline of 16 June 2026, and ShinyHunters' assertions about the content and scale of the files have set a narrow window for public developments. The Council has said only that it is assessing the situation; whether the group follows through on the threatened leak remains to be seen.
