Summary
- ShinyHunters claims it stole hundreds of thousands of files from the Council of Europe.
- The Council has said it is investigating and assessing the situation, without confirming the attackers’ claims.
- The alleged incident highlights public-sector exposure through HR, payroll, identity, and administrative systems.
The Council of Europe is investigating claims by the ShinyHunters extortion group that it stole HR, payroll, and personnel data from the Strasbourg-based human rights institution.
The Council has not confirmed the attackers’ claims. Its media department has said the organisation is investigating and assessing the situation, while declining to provide further information at this stage. That caution is necessary, since extortion groups use breach claims to create pressure before forensic facts are established.
The alleged material is highly sensitive. ShinyHunters claims to have taken hundreds of thousands of documents from multiple Council departments, including payslips, personnel files, CVs, payroll exports, bank-account details, staff identifiers, addresses, salary information, tax information, and absence or illness records.
The Council of Europe is not an EU institution, although all 27 EU member states are among its 46 members. Founded in 1949, it is one of Europe’s central human rights bodies, with work spanning democracy, rule of law, treaties, monitoring, and the European Court of Human Rights system. Even if the alleged material relates mainly to internal administration rather than legal or diplomatic work, the sensitivity is obvious.
Public institutions hold the same categories of high-risk data as large enterprises. Payroll, personnel files, identity records, supplier documents, contract material, health-related absence records, travel claims, and bank details sit inside back-office systems that rarely attract public attention until they fail. Extortion groups have become skilled at finding those systems because the data is dense, personal, and difficult for victims to ignore.
ShinyHunters has been linked to large data-theft and extortion campaigns against organisations using widely deployed enterprise systems and third-party services. In recent activity, the group has claimed attacks against organisations using Oracle PeopleSoft, alongside previous campaigns involving Salesforce customers and cloud data platforms. Individual claims require verification, but the pattern is consistent: attackers look for common enterprise technology that can open paths into many organisations at once.
That creates a public-sector resilience problem that is wider than one institution. Government agencies, universities, councils, hospitals, regulators, and intergovernmental bodies increasingly depend on the same HR platforms, identity systems, collaboration tools, enterprise resource-planning software, and cloud-hosted databases used in the private sector. A weakness in a common system can quickly cross borders and sectors.
For staff whose data may be exposed, HR and payroll breaches can carry long-tail harm. Salary information, tax identifiers, bank details, medical references, and home addresses can support fraud, phishing, impersonation, harassment, and social engineering. Public servants and institutional staff may also face targeted scams built around the credibility of leaked internal documents.
For the institution, response costs extend well beyond forensic work. Data-protection assessment, staff communication, supplier review, credential resets, legal exposure, monitoring, and public trust all have to be managed while technical teams work out what happened. The operational service may continue running, yet the administrative damage can be prolonged.
The case also exposes a weakness in the way institutional cyber maturity is often judged. Public websites, citizen-facing services, and visible infrastructure attract scrutiny, but the systems that manage people and money are just as important to resilience. HR, payroll, procurement, identity, and records platforms form part of the real institutional perimeter.
The Council’s immediate task is to establish whether the claimed data is genuine, how any access occurred, which systems were involved, and whether the incident is isolated or part of a broader campaign. The broader lesson is already familiar to security teams: public-sector cyber risk now runs through commercial software, outsourced administration, and old integration layers as much as through headline public-service platforms.










