The ShinyHunters cybercriminal group has claimed responsibility for a significant data breach targeting the Council of Europe, asserting it extracted 297 gigabytes of sensitive internal records including HR system data, payroll files, and personnel records covering more than 10,000 employees and contractors across the Strasbourg-based intergovernmental organisation.
What Happened
ShinyHunters — the threat group responsible for the 2024 Snowflake-linked wave of data extortion affecting AT&T, Ticketmaster, and Santander — posted claims of the breach on a criminal forum on 14 June 2026. The group alleges exfiltration of data from the Council of Europe’s internal human resources management system, including salary information, personal identification data, employment contracts, performance records, and internal communications between secretariat staff.
The Council of Europe, which oversees the European Convention on Human Rights and houses the European Court of Human Rights, employs approximately 2,200 permanent staff but manages contractual and associate relationships extending to considerably more individuals. A dataset of 10,000+ affected persons encompasses both permanent secretariat employees and a significant population of associate staff, legal observers, and contractors.
The Council had not publicly acknowledged the breach at time of publication. The completeness and authenticity of the alleged data had not been verified by independent third parties.
Why It Matters
Breaches of intergovernmental bodies carry compound sensitivity. Unlike commercial organisations, the Council of Europe’s staff includes legal officials from 46 member states, human rights investigators, judicial administrators, and policy staff involved in politically sensitive proceedings. Exposure of their salary data, identities, and employment records creates risk extending beyond conventional identity theft.
ShinyHunters’ methodology is well-documented: the group typically targets SaaS platforms with weak session token controls or exploits misconfigured cloud storage buckets, then leverages legitimate credentials to exfiltrate large volumes of data before detection. Organisations sharing cloud tenancy with SaaS vendors compromised in previous ShinyHunters campaigns — particularly Snowflake-hosted environments — should audit their access logs for anomalous bulk data access patterns even if the primary SaaS vendor has not notified them.
The breach follows a pattern of threat actors targeting European intergovernmental and governmental bodies throughout 2026. EU institutions have invested significantly in post-GDPR technical controls, but enforcement mechanisms and security monitoring for non-EU European bodies such as the Council of Europe vary considerably and lack the regulatory scrutiny applied to member state data controllers.
Implications for Partner Organisations
Staff data exposed in such breaches has historically been leveraged for spear-phishing campaigns targeting the breached organisation’s partner networks, member state ministries, and legal counterparts — particularly in the context of pending European Court of Human Rights proceedings, where personnel identity becomes operationally valuable to hostile state actors.
Organisations with integration or data sharing relationships with Council of Europe systems should treat the weeks following this disclosure as an elevated phishing threat period for communications originating from or referencing Council of Europe domains.
Recommended Actions
- Audit inbound communications from Council of Europe domains for anomalous patterns consistent with credential phishing leveraging exposed personnel data
- Review shared SaaS tenancies or joint collaboration portals with the Council — particularly document management, HR, and legal case management platforms
- Brief legal and compliance teams if your organisation has ongoing ECHR proceedings — personnel data exposure creates targeted social engineering risk for parties engaged in live legal matters
- Monitor threat intelligence sources for Council of Europe credential dumps appearing in dark web marketplaces, which often precede secondary attacks against partner organisations
- For European government IT teams: the exposure of detailed HR records from one intergovernmental body should prompt an internal review of your own HR system’s access controls, particularly bulk export permissions and API access to HR platforms from service accounts
Share this article