The Council of Europe, the continent's oldest intergovernmental organization, confirmed on June 15, 2026 that it is actively investigating claims of a data breach made by the ShinyHunters extortion group. The group claimed unauthorized access to the Council's data over the weekend, triggering a formal inquiry by the institution's security team.
Who Is the Council of Europe?
The Council of Europe is a pan-European intergovernmental body founded in 1949, distinct from the European Union. It has 46 member states and is best known for:
- Drafting and monitoring the European Convention on Human Rights (ECHR)
- Overseeing the European Court of Human Rights (ECtHR)
- Promoting democracy, rule of law, and human rights across Europe and beyond
- Coordinating cross-border cooperation on legal and judicial matters
The institution's work involves sensitive legal, diplomatic, and judicial data, making it an attractive high-profile target for criminal extortion groups.
ShinyHunters' Track Record
ShinyHunters is a well-documented financially motivated extortion group known for large-scale data theft campaigns targeting high-profile organizations. Their recent activity has been relentless:
| Victim | Claimed Data | Timeframe |
|---|---|---|
| Council of Europe | Under investigation | June 2026 |
| Oracle PeopleSoft (via CVE-2026-35273) | University breach data | June 2026 |
| Medtronic | 9 million patient records | April 2026 |
| ADT | 5.5 million customer records | April 2026 |
| 7-Eleven | 185,000 customer records | May 2026 |
| Instructure (Canvas) | 365 TB data | May 2026 |
The group's pattern typically involves exfiltrating data, then threatening to publish it unless a ransom is paid — a double-extortion model that pressures organizations even when backups are available.
Current Status of the Investigation
As of June 15, 2026, the Council of Europe's security team is in the early stages of its investigation. Key unknowns include:
- What data was accessed — the scope of any breach, including whether personal data of staff, member state representatives, or court applicants was involved
- How access was obtained — the initial vector, whether through stolen credentials, exploitation of a vulnerability, or supply chain compromise
- Whether the claims are legitimate — ShinyHunters has on rare occasions made exaggerated or false claims; independent verification of the breach is pending
The Council stated it is taking the claims "seriously" while continuing to assess the situation. Under the EU General Data Protection Regulation (GDPR) and Council of Europe Convention 108+, breach notification requirements would apply if personal data of individuals was compromised.
Why This Breach Would Be Significant
A confirmed breach of the Council of Europe would carry outsized significance compared to most corporate breaches:
Sensitive Data Categories
The Council of Europe processes categories of data that rarely appear in commercial breach contexts:
- European Court of Human Rights case files — including communications with applicants bringing human rights complaints against member states
- Diplomatic communications — between member state delegations and Council secretariat
- Legal proceedings data — materials related to ongoing treaty monitoring and compliance assessments
- Staff and HR data — for Council employees across multiple European cities
Geopolitical Sensitivity
The Council of Europe's work spans human rights monitoring in conflict zones and sensitive diplomatic negotiations. Exposure of internal communications could have implications beyond typical data breach scenarios, affecting ongoing legal proceedings and diplomatic relations.
ShinyHunters' Methods
Based on the group's documented operational patterns, likely attack vectors include:
- Credential theft via infostealer malware — ShinyHunters has repeatedly leveraged credentials stolen by infostealers like Redline and Raccoon that circulate on underground markets
- Cloud storage misconfiguration — the group has previously exploited improperly secured cloud storage buckets and SaaS integrations
- Supply chain compromise — recent attacks have used vulnerabilities in shared services (e.g., the Oracle PeopleSoft zero-day, Snowflake customer attacks) to reach multiple organizations through a single breach point
- Exploitation of unpatched CVEs — particularly in internet-facing applications including VPNs and web portals
What Organizations Should Do
The Council of Europe breach claim is a reminder that no organization — regardless of prestige or legal mandate — is exempt from criminal targeting. ShinyHunters specifically targets high-profile institutions because breach notifications from well-known names generate leverage for extortion demands.
Immediate defensive priorities:
- Audit privileged account access — review which accounts have access to sensitive repositories, cloud storage, and collaboration platforms; enforce MFA universally
- Check for credential exposure — use threat intelligence services to identify whether organizational credentials are circulating in stealer logs or dark web markets
- Review SaaS and third-party integrations — supply chain compromise through third-party services has been a consistent ShinyHunters vector
- Segment sensitive data — apply data minimization and access control principles to limit blast radius if credentials are compromised