ShinyHunters Again? Council of Europe Probing Theft of Payroll, HR and Other Sensitive Data
Right about now, the Council of Europe may be echoing the sentiments of Butch Cassidy (at least in the 1960s movie), “Who are those guys?”
The relentless ShinyHunters reportedly has struck once again and the target was the European continent’s premier and longest-lasting intergovernmental human rights organization, which is now looking into claims by the prolific extortion group.
In a post on its dark website, where it typically leaks data, the group threatened to leak files it claimed to have stolen from the Council of Europe and more. “This is a final warning to reach out by 16 June 2026 before we leak along with several annoying (digital) problems that’ll come your way,” the ransomware operatives wrote, Bleeping Computer reported.
The site noted that the Council responded by saying, “We are currently investigating the matter and assessing the situation. We have no further comment to make at this stage.”
Among the stolen documents, the ransomware group said, are more than 409,000 payslips from the last 15 years for the Council’s more than 10,000-strong staff as well as more than 3,700 in-house personnel files.
Data exfiltrated includes names, birthdates, Social Security information, medical records, bank account and information, as well as salary and medical data.
“HR and payroll systems are among the most data-rich environments in any organization, yet they’re routinely treated as administrative infrastructure rather than high-value targets requiring the same access controls applied to more obviously sensitive systems,” says Keeper Security CISO Shane Barney.
“The data held in those repositories is exactly what sophisticated threat actors want, because it’s actionable far beyond the original breach,” he says.
That kind of financial information in the hands of miscreants “enables fraud, personal identifiers enable impersonation and medical records carry their own coercive weight” and “when combined in a single exfiltration, the downstream harm to affected individuals compounds over years, not weeks.”
Chris Radowski, GRC expert at Pathlock, explains that “incidents involving employee and payroll records serve as a reminder that sensitive personal data carries significant regulatory and business risk.”
ShinyHunters has continued its “consistent pattern of targeting SaaS platforms and third-party systems where access governance tends to lag behind exposure, most recently exploiting a zero-day in Oracle PeopleSoft affecting an estimated 100 organizations,” says Barney.
Right now, he points out, the specific entry point has not been determined and remains under investigation. But the volume of the alleged exfiltration strongly suggests that access to sensitive repositories wasn’t sufficiently restricted, monitored or time-limited,” he says.
The Council of Europe incident raises questions about security practices at the organization. Noting that “what ShinyHunters allegedly extracted includes payroll records spanning 15 years, bank account details, medical information, Social Security data and personnel files for more than 10,000 employees,” Barney says, “when an adversary walks away with that kind of depth and breadth, the breach didn’t happen overnight, and it almost certainly wasn’t contained to a single point of entry.”
That leaves a pressing question for organizations watching this situation unfold. “Would they have “detected a similar exfiltration before the attacker announced it publicly. If the answer is uncertain, that’s the gap worth addressing first?” asks Barney.
ShinyHunters has proved to be a formidable foe for the likes of Adidas, AT&T, Qantas and Canvas. But they and others can be thwarted by following some commonsense security practices. “Organizations should ensure they have appropriate governance, security, and monitoring controls in place to protect employee information and support compliance with frameworks such as GDPR,” says Radkowski.
