ShinyHunters has put the Council of Europe on the clock, claiming it stole 297GB of sensitive data and threatening to publish it unless its demands are met.
The cyber extortion group says the data includes payroll records, medical information, employee data, and thousands of resumes spanning 16 years. The group has given the Council of Europe until June 16, 2026, to comply with ransom demands or risk having the alleged data exposed online.
The organization has not confirmed a breach and says it is investigating the claims.
If verified, the incident would expose one of Europe’s most prominent international institutions to the same threat actor linked to attacks targeting Oracle customers and other major organizations. The claim also highlights the growing use of data theft and public leak threats as leverage in modern ransomware-style extortion campaigns.
A familiar hacking playbook
On Sunday, the ShinyHunters group posted the Council of Europe on its data leak site, claiming to have exfiltrated 297GB of data across 429,000 files. The group says the stolen data will be released today, June 16, if the council doesn’t comply with ransom demands.
According to the group’s post, the alleged theft spans multiple departments, including human resources, the Secretariat, the Parliamentary Assembly, and the European Directorate for the Quality of Medicines & HealthCare (EDQM).
The attackers claim the files contain payroll data covering more than 10,000 employees, over 14,000 resumes, performance evaluations, contracts, purchase orders, absence reports, and illness records.
BleepingComputer also added over 409,000 payslips and more than 3,700 in-house personal files to the list. The alleged dataset includes employee names, dates of birth, IDs, addresses, phone numbers, tax information, Social Security data, and medical records dating from 2011 through 2026.
The event follows a familiar formula favored by the group. Rather than immediately publishing evidence or publicly demanding payment, the group first advertises the alleged breach, highlights the sensitivity of the stolen information, and imposes a deadline designed to pressure victims into opening negotiations before any data is released.
If the compromised organization fails to meet the group’s demands, their data joins that of others before them.
A claim without confirmation
For now, the Council of Europe says it is “currently investigating the matter and assessing the situation.”
As a result, several key questions remain unanswered. It is not yet known whether the Council of Europe was actually compromised, whether the purported data is authentic, how ShinyHunters may have gained access to the Council of Europe network, or whether the group has already shared any information.
The lack of confirmation, however, has not stopped security researchers from being on alert. ShinyHunters has been linked to several very high-profile data breaches this year alone, with a high degree of consistency. That gives the group’s claims more weight than if it were from a lesser-known extortion group.
Until the Council of Europe confirms, or ShinyHunters dumps the data, whichever comes first, the case remains a high-profile extortion claim rather than a confirmed compromise.
European organizations remain visible targets
Whether this claim is true or not, one thing is increasingly clear: European organizations appear to have become prime targets.
Last Wednesday, the University of Nottingham confirmed a data breach for which responsibility was claimed by the ShinyHunters group. Earlier this month, Oxford University announced that it had been breached. While one may be quick to conclude that it is primarily limited to universities, the same ShinyHunters group stole and dumped 91.7 GB of compressed files from the European Commission in March.
All organizations, regardless of sector, must, as a result, tighten security practices, continuously educate employees on cybersecurity measures, and reevaluate the security posture of third-party vendors to reduce their attack surface areas.
Also read: Nintendo faces an alleged data extortion incident involving HR records, internal reports, and potential exposure of third-party vendors.
