What happened
The Council of Europe is investigating claims that the ShinyHunters extortion group stole hundreds of thousands of documents from the organization.
The Council of Europe is Europe’s oldest intergovernmental body and represents 46 member states and more than 700 million people. It promotes democracy and the rule of law across Europe and beyond.
When asked about the claims, the Council of Europe said it was investigating the matter and assessing the situation. The organization did not provide further comment.
ShinyHunters claimed on its dark web leak site that it stole more than 429,000 documents containing human resources and payroll data from multiple Council of Europe departments. The group threatened to leak the allegedly stolen files on June 16, 2026.
The group claimed the stolen documents included more than 409,000 payslips for over 10,000 staff members, covering records from 2011 to 2026. It also claimed to have obtained more than 3,700 in-house personnel files, over 14,000 CVs, and other files.
The allegedly stolen files are said to contain a wide range of personal and financial information, including names, dates of birth, home addresses, phone numbers, employee IDs, salaries, bank account details, tax and Social Security information, medical records, and other data.
ShinyHunters has been linked to several major data theft campaigns over the past year, including claims involving Salesforce customers, Snowflake customers, third-party integration providers, and Oracle PeopleSoft environments.
Who is affected
Council of Europe staff and personnel whose HR, payroll, CV, or personnel records may be included in the allegedly stolen files could be affected.
The claimed data set includes information tied to more than 10,000 staff members, including payslips, personnel files, CVs, and other records. If the claims are confirmed, affected individuals could face exposure of personal, employment, financial, tax, Social Security, and medical information.
The Council of Europe itself is also affected because the claims involve multiple departments and sensitive internal personnel records.
Why CISOs should care
This incident highlights the risk of large-scale HR and payroll data theft. Personnel records often contain a dense combination of personal, financial, employment, and health-related information, making them valuable for extortion, fraud, identity theft, and social engineering.
For CISOs, the claimed scale matters. ShinyHunters alleged that more than 429,000 documents were stolen, including more than 409,000 payslips and thousands of personnel files and CVs. Even before claims are confirmed, organizations need a clear process for assessing what data may be affected, whether files were accessed or exfiltrated, and what notification obligations may apply.
The case also reinforces the need to secure internal administrative systems, not only customer-facing platforms. HR, payroll, and personnel repositories may not always receive the same attention as production systems, but they can contain some of the most sensitive data an organization holds.
3 practical actions
- Prioritize HR and payroll repositories as high-value data stores: ShinyHunters claimed it stole payslips, personnel files, CVs, and other internal documents. CISOs should ensure HR and payroll systems have strong access controls, logging, multifactor authentication, and data loss monitoring.
- Prepare breach scoping for large document collections: The claimed theft involves more than 429,000 documents across multiple departments. Security teams should maintain data inventories and document classification processes so they can quickly determine which records may contain financial, tax, Social Security, medical, or employment information.
- Monitor for extortion and leak-site activity after data theft claims: ShinyHunters threatened to leak the allegedly stolen files by June 16, 2026. Organizations should have playbooks for dark web monitoring, evidence preservation, legal escalation, employee communications, and stakeholder notification when an extortion group claims to possess sensitive internal data.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.