Council of Europe probes ShinyHunters PeopleSoft breach

ShinyHunters claims it breached the Council of Europe and stole more than 297 GB of data through a zero-day flaw in Oracle PeopleSoft, adding the human rights body to a victim list that the extortion group says includes more than 100 organizations.

The group posted the claim on its leak site and said it took 429,000 files. The files include HR and payroll records, payslips, purchase orders, CVs, salary details, banking records, tax files and medical records, according to The Register.

A Council of Europe spokesperson told The Register that the organization has opened an investigation and started an assessment. The spokesperson declined further comment.

ShinyHunters told The Register that the Council of Europe breach came from the same PeopleSoft campaign that hit the University of Nottingham. The group claims it exploited CVE-2026-35273 across more than 300 vulnerable instances. Oracle had not answered The Register's questions at publication time, and the company had not said whether it patched the flaw.

Google threat researchers also saw activity consistent with exploitation of CVE-2026-35273 from May 27 to June 9. Google said its responders notified more than 100 organizations whose IP addresses matched exposed endpoints. Google said 68% of those organizations operate in higher education, and most sit in the United States.

The stolen data categories raise direct privacy risks for Council of Europe staff and applicants. Payroll and banking data can fuel payment fraud. Tax files can help criminals file false returns. Medical records can expose private conditions that workers may have shared only with an employer or benefits provider.

The legal risk also reaches beyond incident response. The General Data Protection Regulation treats health data, payroll data and identity records as protected personal data. Organizations that handle European residents' data must protect it, limit access, document security measures and notify regulators within 72 hours after they confirm a breach that creates risk for affected people.

GDPR penalties can reach 20 million euros or 4% of annual global revenue, whichever figure is higher. Regulators weigh the type of data, the number of people affected, the security controls in place and the speed of notification.

The California Consumer Privacy Act may also matter if the stolen files include California residents. The CCPA gives residents rights to know, delete and limit some uses of personal information. It also creates statutory damages for certain breaches involving unencrypted personal information, with damages ranging from $100 to $750 per consumer per incident.

PeopleSoft sits deep inside HR, payroll and finance departments, which makes this campaign more dangerous than a website defacement or email compromise. A single exposed PeopleSoft instance can hold years of employee records, contractor files, benefits data and procurement documents. Attackers who reach that system can assemble a profile of a worker's job, pay, bank account and health claims.

The University of Nottingham case shows the scale. ShinyHunters listed the university last week and then released data tied to about 454,600 current and former students. The files included personal and academic records, according to The Register.

ShinyHunters has also targeted education technology vendors. Instructure said in May that it reached an agreement with the group after a breach of its Canvas platform exposed data tied to 275 million students, teachers and staff. In March, ShinyHunters claimed it stole data from Infinite Campus, a K-12 software provider, during a wave of Salesforce-related intrusions.

Organizations that run PeopleSoft should treat the campaign as an active breach risk. Security teams need to identify internet-facing PeopleSoft instances, review logs from late May through June, restrict access, rotate credentials and check for data staging or bulk export activity. Legal and privacy teams should prepare regulator notices if logs show access to personal data.

Affected workers should watch for payroll fraud, tax fraud and targeted phishing. An attacker with HR records can write convincing emails that mention a real employer, pay cycle or benefits plan. Staff should verify payroll change requests through a known internal channel and place fraud alerts if bank or tax records appear in the leaked files.

Oracle now faces pressure to explain the status of CVE-2026-35273, tell customers which PeopleSoft versions face exposure and publish mitigation steps. Customers cannot manage the risk with guesswork. They need a patch, indicators of compromise and clear guidance on log sources that reveal exploitation.