ShinyHunters Claims 297 GB From the Council of Europe. Payroll Records for 10,000 Employees. Medical Data. Tax Numbers. Deadline: June 16.

Europe's Highest Governance Body

On June 15, 2026, ShinyHunters — the same threat group exploiting Oracle PeopleSoft vulnerabilities against universities — claimed to have exfiltrated 297 GB of data from the Council of Europe. The Council is not an EU institution; it is the continent's oldest international organization, founded in 1949, with 46 member states. It oversees the European Convention on Human Rights, the European Court of Human Rights, and sets standards for democracy, rule of law, and human rights across Europe.

The claimed dataset includes: 429,000+ files, payroll records for 10,000+ employees spanning 2011 to 2026, 14,000+ CVs, bank account information, medical records, and tax and social security numbers. Compromised departments reportedly include HR, the Secretariat General, the Parliamentary Assembly, and the European Directorate for the Quality of Medicines (EDQM). ShinyHunters set a deadline of June 16 to begin negotiations — tomorrow — or the data goes public.

The Government Digital Infrastructure Pattern

ShinyHunters' June 2026 campaign reveals a pattern: they are systematically targeting institutional infrastructure that runs on legacy systems. The Oracle PeopleSoft exploit (CVE-2026-35273, CVSS 9.8) used against universities shares architectural DNA with enterprise resource planning systems deployed across government institutions. The Council of Europe's HR, payroll, and document management systems were built in an era when the threat model did not include organized cybercrime groups with nation-state capabilities.

The French government's Tchap messaging platform was breached on June 7 by a separate actor — 73,467 of 825,000 government accounts compromised, 643,000 plaintext chat messages exfiltrated. Two major European governmental infrastructure breaches in a single week. Both targeting systems that handle sensitive employee and operational data. Both exploiting infrastructure that has not been modernized to current security standards.

What the NIS2 Deadline Means Now

The irony is architectural. The organization that sets human rights and governance standards for 46 European nations appears to have been running HR and payroll infrastructure that could not withstand a threat group that simultaneously targeted American universities. The digital infrastructure gap is not a technology problem — the Council of Europe has the budget for modern systems. It is a governance problem: the same pattern of deferred modernization that WebPulse documents across the commercial web applies to the institutions that govern the web's regulatory environment.

What This Means for WebPulse's Government Analysis

WebPulse's government website analysis tracks framework adoption, security posture, and modernization velocity across public sector sites. The Council of Europe breach adds a data point to the pattern: government institutions running legacy web and enterprise infrastructure are disproportionately targeted because their attack surface is disproportionately large. The same architectural decisions that result in poor Core Web Vitals scores and outdated framework versions also result in exploitable ERP systems and unencrypted employee data.

The web infrastructure that faces the public (the website) and the enterprise infrastructure that faces employees (HR, payroll, document management) are usually deployed by the same IT organization, using the same security practices, operating under the same modernization timeline. An institution whose public website runs on a 2018 CMS template is likely running 2018-era enterprise systems behind it. WebPulse's public-facing scan data is a proxy for the infrastructure security that ShinyHunters exploits. The websites we can see predict the systems we cannot.