ShinyHunters Steals 297 GB from Council of Europe HR Systems

ShinyHunters Steals 297 GB from Council of Europe HR Systems

The Council of Europe, the continent's leading institution for human rights, democracy, and the rule of law, has become the latest high-profile victim of the ShinyHunters ransomware group. The breach exposed 297 GB of sensitive HR and payroll data, including more than 409,000 payslips and over 14,000 employee CVs, affecting staff across the Secretariat and Directorate of Human Resources. The Council of Europe data breach by ShinyHunters is not just a cybersecurity incident; it is a pointed reminder that even the bodies charged with protecting citizens' rights can fail to protect the personal records of their own people.

What Was Stolen: Inside the 297 GB HR and Payroll Breach

According to the claims made by ShinyHunters, the haul from this breach is substantial. Over 429,000 files were compromised, with the data spanning payslips, CVs, employment contracts, and internal HR records. Payslips alone account for more than 409,000 documents, which means this breach likely covers a significant portion of the Council's current and former workforce.

The sensitivity of this data cannot be overstated. Payslips typically contain full legal names, home addresses, national identification numbers, bank account details, salary information, and tax records. CVs add yet another layer of exposure, including educational histories, personal references, and previous employment details. Together, this information provides cybercriminals with everything they need to conduct targeted phishing campaigns, commit identity fraud, or sell individual profiles on dark web marketplaces.

This kind of HR-focused attack is increasingly common. The Statistics South Africa HR system breach followed a strikingly similar pattern, with attackers targeting internal human resources infrastructure to extract employee records rather than going after customer-facing systems.

Why the Council of Europe Is a High-Value Target for Ransomware Groups

At first glance, an intergovernmental organization focused on human rights might seem like an unusual ransomware target. In practice, it is an exceptionally attractive one. The Council of Europe employs thousands of staff across its Strasbourg headquarters and multiple field offices, meaning its HR databases are dense with personal records. Institutional prestige also raises the leverage available to ransomware groups: the reputational cost of a breach is higher for a body whose mandate includes citizen rights and data protection.

ShinyHunters has a well-documented pattern of targeting large, visible organizations to maximize pressure for ransom payment. Earlier this year, the group issued a public ultimatum to Dutch telecommunications provider Odido. As detailed in coverage of the Odido data breach affecting 8 million customers, ShinyHunters threatened to publish stolen customer data unless a ransom was paid, demonstrating its willingness to use public disclosure as a pressure tool. That same playbook appears to be in use here.

The Council of Europe breach also follows ShinyHunters' earlier claimed attack on the European Commission's cloud infrastructure, which reportedly involved over 350 GB of data from the Europa.eu platform. Taken together, these incidents suggest the group has made European institutions a deliberate focus of its operations in 2025 and 2026.

The Irony of Privacy Watchdogs Failing to Secure Personal Data

The Council of Europe is the body responsible for the European Convention on Human Rights and oversees frameworks that member states use to govern data protection and digital privacy. It is, in other words, an institution that sets the standard for how personal data should be handled and protected. The irony of that institution suffering a breach of this scale is difficult to ignore.

This is not an isolated tension. Large institutions often have complex, legacy IT infrastructure, sprawling vendor relationships, and workforce data spread across dozens of interconnected systems. Those structural realities create attack surfaces that are genuinely difficult to manage, regardless of how strong the organization's stated commitments to privacy may be. The breach illustrates that good policy intentions do not translate automatically into good operational security.

For affected employees, the consequences are immediate and personal. Anyone whose payslip or CV was among the 429,000-plus files now faces potential exposure of their financial details and identity documents. Dark web sales of institutional HR data, like those seen in the Iliad Italia customer data listing, tend to follow breaches quickly, giving criminals a ready market for the stolen records.

How Individuals Can Protect Themselves When Institutions Fall Short

When an employer or institution is breached, affected individuals have limited control over what was taken. But there are concrete steps you can take to limit further exposure.

Monitor your financial accounts closely. Bank details exposed in payslips can be used for direct fraud. Set up alerts for unusual transactions and consider whether a temporary freeze on credit inquiries is appropriate in your jurisdiction.

Be alert to spear-phishing attempts. Attackers who have your CV and payslip know your employer, salary band, and job title. They can craft highly convincing impersonation emails using that context. Treat unexpected messages requesting action or credentials with extra skepticism, even if they appear to come from colleagues or HR.

Use a VPN on public and shared networks. While a VPN does not prevent a server-side breach, it does protect your traffic from interception when you access employer portals or sensitive accounts remotely, reducing one vector of credential theft.

Check whether your data appears in breach databases. Services that monitor known breach datasets can alert you if your email or other identifiers surface in newly published datasets.

Request clarity from your employer. If you are a Council of Europe employee or contractor, push for specific communication about which records were affected and what remediation is being offered.

Institutional breaches like this one are a reminder that personal data hygiene matters most precisely when the organizations holding your records fail to protect them. Reviewing your exposure, securing your accounts, and staying alert to social engineering are not optional extras; they are the baseline response when data you did not hand over to criminals ends up in their hands anyway.

ShinyHunters' escalating attacks on European institutions suggest this group is not slowing down. Staying informed and taking proactive steps with your own digital security is the most effective response available to individuals caught in the crossfire.