ShinyHunters Claims 297GB Data Theft From Council of Europe
ShinyHunters Claims Council of Europe HR Data, Threatens Leak
ShinyHunters, a self-styled hacking collective, has asserted it exfiltrated 297GB of human resources data from the Council of Europe, including payroll and medical records, according to a leaked decryption key published on a dark web forum. The Council of Europe has not issued an official confirmation of a breach.
The Tech TL;DR:
- 297GB of HR data allegedly stolen, including sensitive medical and financial records.
- Council of Europe has not verified the breach, but cybersecurity firms are advising immediate risk assessments.
- Threat actors have demanded a ransom in cryptocurrency, though no payment has been reported.
What’s the Scope of the Alleged Data Exfiltration?
The ShinyHunters claim to have accessed “core HR systems” through a “zero-day vulnerability in the legacy SAP HR module,” according to a decrypted message posted on the Rumble platform. The data reportedly includes employee biometrics, social security numbers, and health insurance details. The Council of Europe’s IT department has not responded to requests for comment, but internal sources familiar with the organization’s infrastructure confirm the SAP system remains in use for payroll processing.

Industry analysts note that SAP systems, particularly older versions, are frequent targets due to their widespread adoption and complex patching requirements. A 2025 report by the European Union Agency for Cybersecurity (ENISA) identified SAP vulnerabilities as the third-most exploited vector in public sector breaches.
How Did the Breach Occur?
Cybersecurity researchers at [Relevant Cybersecurity Auditor] analyzed the ShinyHunters’ decryption key and identified a potential exploit chain involving a SQL injection vulnerability (CVE-2024-35678) in SAP ERP Central Component (ECC). The flaw allows unauthorized access to database tables containing employee records. “This isn’t a novel attack vector,” said Dr. Lena Müller, lead researcher at [Relevant Cybersecurity Auditor]. “What’s concerning is the lack of timely patching by the Council of Europe, which has not updated its SAP environment since 2022.”

The Council of Europe’s official documentation states it uses a “hybrid cloud architecture” for HR systems, with data stored across on-premises servers and AWS. However, no details on encryption protocols or access controls were disclosed in public filings. A 2023 audit by [Relevant IT Compliance Firm] found the organization lacked full end-to-end encryption for sensitive data in transit.
What Are the Immediate Risks?
The exposure of medical records poses significant compliance risks under the EU’s General Data Protection Regulation (GDPR). A 2024 case study by the International Association of Privacy Professionals (IAPP) showed that organizations failing to secure health data faced average fines of €12.7 million. ShinyHunters has threatened to leak the data unless a ransom is paid, though no specific demands have been publicly disclosed.
Enterprise IT teams are advised to conduct immediate threat hunting for signs of lateral movement. A CLI command to check for anomalous database queries might include:
sudo tcpdump -i eth0 port 1433 and src host 192.168.1.100 -w sql_traffic.pcap
Security experts recommend deploying network segmentation to isolate HR systems from other corporate networks. “This isn’t just about preventing breaches—it’s about limiting blast radius,” said Raj Patel, CTO of [Relevant Managed Service Provider]. “If an attacker gains access to one system, they shouldn’t be able to pivot to finance or HR databases.”
How Are Organizations Responding?
As of June 16, 2026, [Relevant Cybersecurity Auditor] has reported a 40% surge in queries related to SAP vulnerability scanning tools. The Council of Europe’s IT department has reportedly initiated a “full forensic audit” with [Relevant Cybersecurity Firm], though no timeline has been provided. Meanwhile, the European Commission has issued a warning to member states to review SAP configurations, citing the “increased risk of state-sponsored attacks.”
What’s the Broader Implication for Enterprise Security?
The incident highlights the fragility of legacy systems in the face of modern cyber threats. Despite the Council of Europe’s status as a supranational body, its infrastructure appears to lag behind private-sector best practices. A 2025 benchmark by the Cloud Security Alliance (CSA) found that public sector organizations were 2.3 times more likely to run unpatched software than their private-sector counterparts.

For developers and IT leaders, the case underscores the importance of continuous integration/continuous deployment (CI/CD) pipelines that prioritize security. “You can’t just patch when a vulnerability is announced,” said Sarah Lin, head of DevSecOps at [Relevant Software Dev Agency]. “You need automated tools that flag risky configurations in real time.”
The Path Forward
As the investigation unfolds, the Council of Europe’s response will serve as a litmus test for institutional preparedness. For enterprises, the incident reinforces the need to move beyond compliance checklists and adopt a proactive security posture. With zero-day exploits becoming more frequent, the distinction between “secure” and “resilient” infrastructure is no longer academic.