Council of Europe Breach Exposes Scale of PeopleSoft Zero-Day Campaign

ShinyHunters claims to have stolen more than 297GB of data — over 429,000 files including 409,000 payslips — from the Council of Europe, exploiting an Oracle PeopleSoft zero-day that has been used to compromise more than 100 organisations across Europe and the United States.

By Acompli Editorial

The Council of Europe is investigating claims by the threat actor group ShinyHunters that it exfiltrated more than 297GB of data — over 429,000 files — from the organisation's systems. The claim was published on 14 June 2026, with the group threatening to release the dataset unless its demands were met by 16 June. The Council has confirmed it is investigating but has not independently verified the full scope of the compromise.

The allegedly stolen material is extensive and personnel-heavy. ShinyHunters claims the dataset includes more than 409,000 payslips, over 14,000 CVs, and more than 3,700 internal human resources files, spanning a period from 2011 to 2026 and potentially affecting over 10,000 current and former employees, contractors, and job applicants. The group says the data originates from multiple Council of Europe entities, including the Secretariat, the Human Resources Directorate, the Parliamentary Assembly, and the European Directorate for the Quality of Medicines and HealthCare (EDQM). The concentration of payroll and HR records places the incident firmly within the scope of personal data breach obligations, with categories of data ranging from financial details to recruitment records.

The breach is significant beyond the Council itself because of how it was carried out. ShinyHunters exploited CVE-2026-35273, a critical zero-day in Oracle PeopleSoft PeopleTools that allows unauthenticated remote code execution and carries a CVSS base score of 9.8. Oracle published a security alert and released an out-of-band patch on 10 June 2026, and the US Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalogue. Mandiant has confirmed active exploitation by ShinyHunters between 27 May and 9 June 2026, with more than 100 organisations impacted — approximately two-thirds of them academic institutions. Attackers chained the zero-day with previously patched Oracle vulnerabilities to escalate privileges and evade network segmentation.

For organisations running PeopleSoft, the immediate priority is patching and compromise assessment. But the wider lesson is the speed at which a single enterprise software vulnerability can cascade into mass data theft across the public and education sectors. The Council of Europe incident is the highest-profile victim of a campaign that was already well underway before the patch was available — a reminder that zero-day exposure is not a hypothetical risk for organisations that depend on widely deployed enterprise platforms.

Acompli perspective: A breach that enters through an enterprise software vulnerability triggers the same data protection obligations as any other. Where personal data is exfiltrated, controllers must assess the incident against the Article 33 notification threshold and, where the risk to individuals is high, communicate directly with those affected under Article 34. The foundations for responding well are the same ones that underpin broader compliance: accurate data mapping so you know which systems hold which categories of personal data, maintained records of processing to support a notification, and third-party risk assessments that account for the enterprise platforms your organisation depends on — not just the processors you contract with directly.

Sources

More from the newsroom