Summary
- The Council of Europe has confirmed that it is investigating ShinyHunters’ claims.
- The claimed scale and contents of the alleged theft remain unverified.
- HR, payroll, and internal records would create long-lived personnel, fraud, phishing, and institutional risk if confirmed.
The Council of Europe is investigating claims by the ShinyHunters extortion group that it stole a large volume of internal documents from the European institution.
The organisation has not confirmed a breach. Its public position is that it is investigating and assessing the situation, leaving the central facts unresolved: whether data was taken, how much was affected, which systems were involved, and whether the attacker’s description of the incident is accurate.
ShinyHunters has claimed responsibility for a series of recent data theft and extortion attempts. In this case, the group claims to have obtained hundreds of thousands of files from Council of Europe departments, including human resources and payroll material. Reported claims include employee records, payslips, CVs, contract documents, purchase orders, absence and illness records, banking details, tax information, and other internal files.
Those claims remain allegations. Extortion groups often exaggerate volume, conflate low-sensitivity directory material with high-sensitivity records, or present partial access as broad compromise. The confirmed fact is narrower: a major European institution is assessing a serious data theft claim and has not yet publicly confirmed the attacker’s account.
The Council of Europe is not an EU body, but it is one of the continent’s most prominent intergovernmental organisations, with 46 member states and a mandate covering human rights, democracy, and the rule of law. Its work involves officials, delegates, staff, contractors, interpreters, experts, and institutional relationships across Europe.
Personnel and payroll data create a different risk profile from many consumer breach datasets. Names, addresses, employment histories, tax identifiers, bank details, salary information, health-related absence records, and performance material cannot be rotated like passwords or replaced like payment cards. If confirmed, exposure of those records could support fraud, impersonation, coercion, targeted phishing, and reputational pressure on individuals and the institution.
The alleged incident also reflects a broader pattern of attacks against administrative platforms and institutional records. Large organisations often treat human resources, payroll, finance, case management, and enterprise resource planning systems as back-office infrastructure. Attackers treat them as consolidated repositories of identity, financial, procurement, access, and organisational intelligence.
That raises questions of segmentation, access control, logging, encryption, and retention. The security outcome is not limited to whether an attacker entered a system. It also depends on how much data could be reached from that point, whether unusual access was detected, whether sensitive records were isolated, and whether permissions had accumulated beyond operational need.
European institutions, universities, public bodies, and regulated organisations increasingly rely on common enterprise platforms and outsourced services to run administrative processes. When those platforms fail, the exposure is rarely confined to one department. The same system can hold employee data, supplier records, payment details, contracts, and internal communications that remain valuable long after an extortion deadline passes.
The next material facts will be whether the Council of Europe confirms unauthorised access, identifies affected systems, notifies individuals or regulators, or disputes the claimed scale. Until then, the case should be handled as an investigation into alleged data theft, with the attacker’s claims clearly separated from confirmed institutional findings.





