ShinyHunters Claims Theft of 297 GB from the Council of Europe via Zero-Day in Oracle PeopleSoft

The group ShinyHunters claims to have exfiltrated over 297 GB and 429,000 files from the Council of Europe in Strasbourg, exploiting the zero-day CVE-2026-35273 in Oracle PeopleSoft. The claim appeared on the group's panel on June 14 and was reported by The Register and Computing UK on Monday. The Council of Europe, speaking with The Register, simply stated it is "investigating the matter and assessing the situation." The organization has not publicly confirmed the breach by the time this article was published.

CVE-2026-35273 is a remote code execution vulnerability in PeopleSoft Enterprise PeopleTools, with a CVSS score of 9.8. It does not require authentication or user interaction, only network access via HTTP. The exploitation window occurred between May 27 and June 9, according to Mandiant, which tracks the initial exploit group as UNC6240. Oracle only published an advisory on June 10, leaving the vulnerability as a zero-day for more than two weeks. On Tuesday, June 16, the vendor released a complete patch and additional technical details in the June quarterly bulletin.

The Broader Campaign Behind the Attack

The claim against the Council of Europe is the most visible piece of a campaign that has hit more than 100 organizations. In an interview with The Register, ShinyHunters stated it had reached 300 instances of PeopleSoft spread across these victims. Sixty-eight percent were from the higher education sector, predominantly in the United States. Among the confirmed victims so far is the University of Nottingham in the UK, which acknowledged the theft of 40 GB of personal and financial data of current and former students.

The nature of the data claimed in the case of the Council of Europe elevates the risk. According to the group's panel, the files include over 409,000 paychecks of around 10,000 employees, HR records, purchase orders, resumes, banking, tax, and medical data. If the claim is confirmed, the leak impacts the server base of the continent's main human rights organization, based in Strasbourg and mandated over 46 member countries.

The Gap That Opened the Window

Mandiant's analysis indicates that ShinyHunters' exploit relies on an open classpath in PeopleTools, which allowed for the deserialization of arbitrary Java objects. This combination resulted in RCE with application user privilege, without the need for credentials. For CISOs, the issue is structural. PeopleSoft remains a central ERP for payroll, HR, and finance in hundreds of public and private institutions, and each deployment tends to be coupled with customizations that have slow patch cycles. Oracle Cloud Infrastructure was not exposed, but the on-premises base and third-party datacenters were.

The US Cybersecurity and Infrastructure Security Agency included CVE-2026-35273 in the Known Exploited Vulnerabilities Catalog and set a deadline of June 29 for US federal agencies to remediate. In the European Union, ENISA issued a parallel alert. For Brazilian companies, the fragility is twofold: Petrobras, Banco do Brasil, and part of the federal university system operate PeopleSoft, and the maintenance cycle depends on a quarterly change window. Without immediate review of configuration and network segmentation for the application server, the vector remains open even after the patch has been applied, according to a technical note from CSO Online.

What the Case Changes in Risk Contract

Pressure on legacy ERP vendors gains regulatory dimension. The Council of Europe, if the incident is confirmed, will have to notify national data protection authorities in 46 jurisdictions. For the legal teams of US and European banks that use PeopleSoft, the case reopens cybersecurity clauses in contracts with Oracle, especially those related to zero-day disclosure windows. The gap between May 27, when Mandiant identified exploitation, and June 10, when the advisory was released, is exactly the type of gap that CFOs and CISOs have been trying to price over the last two quarters.

ShinyHunters operates under a model of extortion without ransomware: it steals, threatens to publish, and negotiates. The group set a deadline until Tuesday, June 16, for the Council of Europe to pay. There is, so far, no public evidence of the files being published. Oracle had not commented on the extortion attempt against the Council of Europe by the time this article was published.