preloader

· security europe data-breach privacy gdpr ransomware identity hr-data

ShinyHunters Claims 297 GB Council of Europe Breach: Payslips, Bank Records, and HR Data of 10,000 Staff Exposed

Source: BleepingComputer

On 14 June 2026, the ransomware and extortion group ShinyHunters publicly claimed responsibility for a cyberattack on the Council of Europe, one of the continent’s oldest and most prominent intergovernmental organisations, headquartered in Strasbourg and separate from the European Union institutions. ShinyHunters alleged the theft of 297 GB of data spanning more than 429,000 files, with a deadline of 16 June 2026 for a ransom to be paid before publication.

The Council of Europe confirmed in a brief statement that it is investigating the matter and assessing the situation. At the time of writing, the organisation has provided no further detail on the scope of the breach, whether the claims have been verified, or whether any ransom payment was made. The stolen data, if the claims are accurate, represents one of the most sensitive European institutional breaches of 2026.

What was allegedly taken

ShinyHunters’ claims describe a dataset drawn from multiple internal systems across several Council of Europe entities: the main Secretariat, the Human Resources Directorate, the Parliamentary Assembly, and the European Directorate for the Quality of Medicines (EDQM).

The core of the claimed theft is 409,000 payslips from approximately 10,000 current and former employees. Payslips from an international organisation of this type contain a significant amount of personal and financial information: gross and net salary figures, tax deductions, social security contributions, and bank account details used for payroll disbursements.

Beyond payslips, the claimed data includes 14,000 CVs submitted by current and former staff and job applicants, 3,700 internal HR documents covering employee personal data and employment history, and additional files containing tax records, national insurance and social security identifiers, home addresses, personal contact details, and internal administrative correspondence.

Why this breach matters beyond the organisation itself

The breach of a major European intergovernmental organisation’s HR and payroll systems matters for reasons that extend well beyond the direct impact on Council of Europe employees.

The personal data allegedly taken is precisely the type of information used in identity fraud and account takeover. Bank account numbers, salary figures, personal addresses, and national identifiers give a threat actor the raw material to impersonate affected individuals with financial institutions, credit providers, and government services. For individuals whose data appeared in a prior breach, the addition of confirmed salary and bank account data significantly increases the quality of the attacker’s profile.

The breach also demonstrates that no category of organisation is structurally exempt from this class of attack. The Council of Europe is a body that works directly on human rights, rule of law, and democratic governance across 46 member states. Its staff data is now, if the claims are accurate, in the possession of a criminal group that has demonstrated a willingness to publish stolen data publicly when ransoms are not paid.

ShinyHunters and the pattern of European institutional targeting

ShinyHunters has been responsible for a significant number of high-profile data theft operations in 2025 and 2026. The group’s preferred method is to access sensitive data stores, exfiltrate large volumes before detection, and then use the threat of publication as leverage for payment. This model does not require the deployment of ransomware or file encryption, which makes it harder to detect through traditional ransomware monitoring approaches.

Earlier in 2026, ShinyHunters was attributed to the breach of the European Commission’s AWS cloud infrastructure, which involved 350 GB of exfiltrated data including DKIM signing keys, SSO user directories, and email backups. That breach was ultimately traced to a supply chain compromise of the Trivy vulnerability scanner used in the Commission’s CI/CD pipeline.

The Council of Europe breach, if confirmed, would be a separate operation targeting a different set of systems and a different class of data. The two incidents together illustrate a consistent targeting pattern: European institutional infrastructure at the regional and intergovernmental level.

GDPR implications and notification requirements

If the Council of Europe is processing data subject to the General Data Protection Regulation, a breach of this scale and type would trigger mandatory notification requirements under Article 33 and Article 34. Article 33 requires notification to the relevant supervisory authority within 72 hours of becoming aware of a breach that poses a risk to the rights and freedoms of natural persons. Article 34 requires direct notification to affected individuals when the breach is likely to result in a high risk to those individuals.

A dataset containing bank account details, national identifiers, salary records, and home addresses for 10,000 people clearly meets the threshold for a high risk to individuals. The affected employees include nationals of multiple countries across Europe and beyond, given the international composition of Council of Europe staff.

The Council of Europe itself operates under a specific legal framework as an intergovernmental organisation, and its precise GDPR obligations depend on how its data protection protocols are structured. However, staff from EU member states whose personal data was processed in connection with their employment may have claims under applicable national law and the GDPR.

What organisations can learn from this

European organisations that hold sensitive HR and payroll data should treat this incident as a direct prompt to review the controls protecting that data.

Payroll systems, HR databases, and document management platforms holding employee personal data are high-value targets for extortion groups precisely because the data they contain is guaranteed to be sensitive, is easily monetisable through identity fraud, and creates immediate reputational and compliance pressure when exposed.

Access controls for HR and payroll systems are frequently broader than necessary. HR staff, finance teams, and system administrators often have access to far more employee records than their specific role requires, because access management in HR platforms is rarely subject to the same rigorous least-privilege review applied to production infrastructure.

Network segmentation between HR and payroll systems and internet-facing infrastructure limits the attack paths available to a threat actor who gains initial access through a public-facing system. Data loss prevention controls on outbound traffic from systems that hold large volumes of structured personal data can detect anomalous bulk transfer activity before 297 GB leaves the organisation.

If your organisation needs a review of access controls and data governance for HR and payroll systems, a GDPR data breach response assessment, or guidance on reducing the risk of extortion-focused data theft operations, contact Excello Digital. We work with European organisations to identify and close the security gaps that extortion groups target, and to prepare proportionate responses when incidents occur.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!