ShinyHunters Claims Theft of 297 GB from the Council of Europe, Affecting 10,000 Employees

The extortion group ShinyHunters announced on Sunday (14) its claim of stealing 297 GB of data from the Council of Europe, headquartered in Strasbourg. In a post on its own leak site, the group asserts that it has exfiltrated 429,000 files containing payroll records of over 10,000 employees between 2011 and 2026, more than 409,000 pay slips, 14,000 resumes, and approximately 10,700 individual personnel folders. The date of the attack indicated by the group is June 13. The Council of Europe had not made a public statement by the time of this report.

ShinyHunters set a deadline of June 16 for the Council to make contact, under the threat of full disclosure of the data set. The claimed data includes banking, tax, and labor records associated with the institution's staff, according to a description posted by the group and replicated by specialized aggregators such as ransomware.live. No independent primary source, such as the European data protection regulator, had confirmed by Sunday that the published data corresponds to authentic records of the Council.

The Target (and What It Is Not)

The Council of Europe is not an institution of the European Union. Established in 1949, it consists of 46 member states and houses the European Court of Human Rights. The data that ShinyHunters claims to possess includes information about judges, prosecutors, and technical staff spread across various directorates, with references to DGI, DGII, DG-HR, and DG-HRL folders in the shared samples. Confusion between the Council of Europe and the European Commission or the EU Council was prevalent in the initial reports published on Sunday, especially due to the temporal proximity to discussions regarding Anthropic and European sovereignty.

ShinyHunters claimed a similar attack in March 2026 against an AWS environment attributed to the European Commission. In both cases, official confirmation of the target took weeks and came with a scope distinct from that claimed by the group. The current collection, if authentic, encompasses personal data of citizens from at least 46 countries and would trigger mandatory notification to the Council's Data Protection Committee and oversight under CETS 108+, a continental regime equivalent to GDPR concerning treaties.

The Group's Modus Operandi

ShinyHunters has been operating for about six years as a vendor of data in underground forums. The group has claimed attacks against Madison Square Garden Sports, Ralph Lauren, JCPenney, American Tower, and several subsidiaries of Catalyst Brands and Authentic Brands Group. The pattern is the same: extortion by exposure rather than classic encryption, with short deadlines, file samples as proof, and a leak site managed on Tor infrastructure.

The claim this weekend states that the entry vector was a central administrative file repository. The group has not yet published cryptographic evidence of exclusive possession, such as intact hashes or original file metadata, technical controls that threat intelligence researchers usually require before treating a claim as confirmed.

The Takeaway for CISOs

The claim reopens a corporate issue that application security does not cover: the exposure of Human Resources data in legacy administrative systems. The description of the folder collection cited by the group suggests storage on a shared file server, a model still common in international organizations and ministries. CISOs in European multinationals and organizations with a presence in Geneva, Brussels, and Strasbourg replicate a similar structure: centralized NetApp or Windows File Server with permissions by directorate, often outside the newer EDR perimeter of the corporate environment.

In the financial sector, the replica of the problem lies within payroll repositories. Itaú, Bradesco, and BTG Pactual in Brazil, BBVA in Spain, and DBS in Singapore maintain files with over a decade of digitized pay slips in systems adjacent to the core banking system. An equivalent attack to that claimed against the Council would expose, in jurisdictions with GDPR-like rules, accumulated penalties easily exceeding eight figures in euros per affected member state.

What Still Needs to be Addressed

Without confirmation from the Council of Europe, three questions remain unanswered. First, whether there was indeed exfiltration of the claimed volume or if the group is merely gathering old samples from other breaches. Second, whether there is a known exploitation vector (recent CVE, purchased credential, or targeted phishing) or if the entry was via an insider. Third, whether other European diplomatic bodies in Strasbourg, including the European Parliament during plenary sessions, shared the now-suspected infrastructure.

The expected response for this Monday is an official statement from the Council's Communication Directorate and movement from the heads of mission of the 46 member states. Until then, ShinyHunters’ post remains as an unverified claim, rather than a confirmed event.