The Council of Europe is investigating a claimed cyberattack after the ShinyHunters extortion group said it had stolen more than 297GB of data from the organisation. The alleged breach is being linked to a wider campaign involving Oracle PeopleSoft, where attackers reportedly exploited a zero-day vulnerability to compromise more than 100 organisations.

According to the group's claims, the stolen data includes hundreds of thousands of files containing sensitive internal records. These reportedly include HR documents, payroll records, payslips, purchase orders, CVs, salary information, banking details, tax records, and medical-related employee information.

A spokesperson for the Council of Europe said the organisation is currently assessing the situation but did not provide further details. At this stage, the full impact of the incident has not been independently confirmed.

ShinyHunters Links The Attack To A Wider PeopleSoft Campaign

ShinyHunters has claimed that the Council of Europe was one of many victims affected through a vulnerability in Oracle PeopleSoft. The flaw is being tracked as CVE-2026-35273, and the group previously claimed it had used the issue to compromise more than 100 organisations across around 300 exposed instances.

Oracle has not publicly clarified, based on the original report, whether the vulnerability has been patched. That leaves affected organisations in a difficult position, especially those still running internet-facing or poorly protected PeopleSoft systems.

PeopleSoft is widely used for human resources, payroll, finance, and administrative operations. That makes it a valuable target for cybercriminal groups because a successful breach can expose large volumes of personal, employee, financial, and institutional data.

Why PeopleSoft Breaches Can Be So Serious

A breach involving an HR or payroll platform is especially concerning because these systems often store some of the most sensitive information inside an organisation.

Unlike a simple email leak, HR system exposure can involve multiple layers of personal and employment data, such as:

This type of information can be used for identity theft, financial fraud, phishing, social engineering, and further attacks against both individuals and organisations.

For a public institution such as the Council of Europe, the reputational risk is also significant. Even if only part of the claimed data is confirmed, the nature of the information reportedly involved makes the incident serious.

University Of Nottingham Also Named As A Victim

The claimed Council of Europe breach follows another ShinyHunters-linked incident involving the University of Nottingham in the UK.

The cybercrime group previously listed the university on its leak site and later published data allegedly belonging to around 454,600 current and former students. The exposed data reportedly included personal and academic records.

This suggests that the PeopleSoft campaign may have had a strong impact on the education sector, where large databases of student, staff, payroll, and administrative records are commonly stored in enterprise systems.

Google Reportedly Warned More Than 100 Organisations

The wider campaign also lines up with a Google threat report that identified malicious activity consistent with exploitation of CVE-2026-35273 between May 27 and June 9.

Google's incident responders reportedly notified more than 100 organisations whose IP addresses appeared to be linked to potentially vulnerable endpoints. A large number of those organisations were based in the United States, and around 68 percent were said to operate in the higher education sector.

That detail is important because it shows the campaign may not have been random. Higher education institutions often run complex legacy systems, large student and staff databases, and many externally accessible services, making them attractive targets for data theft groups.

ShinyHunters Continues To Target Education And Public-Sector Data

The PeopleSoft campaign is not the only major education-related incident associated with ShinyHunters.

In May, education technology company Instructure, known for the Canvas learning platform, said it had reached an agreement with the group after a breach that reportedly exposed data linked to students, teachers, and staff. The wording strongly suggested that a ransom settlement may have taken place, although companies often avoid describing such payments directly.

That incident allegedly involved data connected to around 275 million students, teachers, and staff.

Earlier, ShinyHunters also claimed it had stolen data from Infinite Campus, a software provider used by K-12 schools. The company did not pay the group, and ShinyHunters later published data it claimed came from the breach. Infinite Campus said the leaked files largely consisted of names and contact information for school staff, much of which it described as directory-style information commonly found on school websites.

Even so, the repeated targeting of education and administrative systems highlights how valuable these datasets have become to extortion groups.

A Pattern Of Data Theft And Pressure Tactics

ShinyHunters operates as a data theft and extortion group. Instead of simply breaking into systems and disappearing, groups like this usually use stolen data as leverage. They may threaten to publish sensitive files unless the victim pays.

This type of attack can place organisations under intense pressure because the damage is not limited to downtime or technical disruption. Once sensitive data is copied out of a system, the organisation must deal with regulatory issues, public communication, legal exposure, employee or student concerns, and long-term reputational damage.

The Council of Europe case is still under investigation, but the claim itself fits the same pattern seen in recent ShinyHunters activity: exploit a major enterprise platform, extract large datasets, list the victim publicly, and use the threat of data exposure to increase pressure.

What Organisations Should Take From This Incident

The reported PeopleSoft campaign is another reminder that enterprise systems must be treated as high-risk assets, especially when they contain HR, payroll, education, or financial data.

Organisations using systems like PeopleSoft should review their exposure, patch status, access controls, logging, and incident response readiness. Even when a vulnerability has not been fully disclosed or publicly patched, suspicious activity around known enterprise software should be treated seriously.

Important defensive steps include:

The most damaging breaches are often not the ones that cause immediate outages, but the ones where attackers quietly extract sensitive information before anyone notices.

The Situation Remains Unclear

For now, the Council of Europe has only confirmed that it is investigating the matter. The exact scale of any breach, the authenticity of the claimed files, and whether the PeopleSoft vulnerability has been patched remain unclear based on the available information.

However, the broader campaign attributed to ShinyHunters shows how quickly a single vulnerability in widely used enterprise software can become a large-scale data theft operation.

If the claims are confirmed, the incident would add the Council of Europe to a growing list of organisations affected by ShinyHunters' ongoing attacks against administrative, education, and enterprise platforms.