Council of Europe faces 297GB PeopleSoft heist as ShinyHunters lists HR payroll data

ShinyHunters says it stole more than 297 GB of data from the Council of Europe by exploiting a zero-day flaw in Oracle PeopleSoft, and it is now shopping the breach on a leak site. The group claims the haul includes 429,000 pilfered files containing HR and payroll records, payslips, purchase-order records, CVs, and employees’ salary, banking, tax, and medical records. That combination is the kind of data attackers love because it is both sensitive and actionable, and it tends to live behind HR and finance workflows that most organizations treat as “operational,” not “threat model critical.”

The Council of Europe has confirmed it is not sitting on its hands. A spokesperson told The Register it is “currently investigating the matter and assessing the situation,” while declining to comment further. In parallel, ShinyHunters and other reporting place the cause of the problem on a specific PeopleSoft vulnerability tracked as CVE-2026-35273, and they frame the Council of Europe as another victim in the same chain.

So what exactly happened in the broader PeopleSoft wave, and why are decision-makers still worried even if their systems seem “pretty locked down”? According to ShinyHunters, the gang exploited CVE-2026-35273 to compromise more than 100 organizations across 300 vulnerable instances. Google’s late-week threat report, cited by The Register, noted malicious activity “consistent with the exploitation of CVE-2026-35273” between May 27 and June 9. Google also said its incident responders notified more than 100 global organizations “whose IP addresses correlated with potentially vulnerable endpoints.” In other words, the activity window was narrow enough to be concrete, but wide enough to imply real operational spread across the internet.

Most of those impacted organizations are US-based, and 68 percent operate within the higher education sector, per the same Google report. That matters because HR and payroll are not only compliance-heavy, they are also full of recurring touches: benefits changes, tax documentation, banking updates, and staffing cycles. When a threat actor gets access to that environment, the “breach” is not a single event. It becomes a pipeline for follow-on fraud, identity stitching, and targeted extortion, because the data is structured around real people and real payments.

This latest heist follows a pattern ShinyHunters has used repeatedly: compromise, collect, then leak and extort. The Register notes that the group previously targeted the University of Nottingham. Last week, it listed the UK university on its leak site and then dumped data belonging to around 454,600 current and former students, including personal and academic records. Separately, ShinyHunters previously targeted student and K-12 ecosystems, including an intrusion involving data from K-12 software provider Infinite Campus as part of a broader wave of Salesforce-related intrusions.

The Infinite Campus episode adds another layer for boards and risk teams: even when breached data turns out to be “directory information,” the real damage can be reputational, operational, and regulatory. Infinite Campus’s data breach notification said the leaked files largely consisted of “names and contact information for school staff” and that “the majority is directory information commonly found on school websites.” The group still published what it claimed to have stolen, including email addresses along with names, phone numbers, physical addresses and support tickets for 137,000 individuals. Translation: attackers do not need every record to be nuclear for the outcome to be messy. They need enough personally identifiable context to make their story credible and their follow-on actions easier.

And the PeopleSoft story is sitting next to another high-profile education-tech extortion case. In mid-May, ed-tech giant Instructure said it “reached an agreement” with ShinyHunters after the group breached its Canvas digital learning platform and accessed data tied to 275 million students, teachers, and staff. The wording is corporate-speak for paying the ransom demand, which is exactly the kind of decision boards cannot outsource. If the same playbook is being used against HR and payroll platforms, the question becomes less “did they get in?” and more “what did we do after we learned they were trying?”

For decision-makers watching this, the Council of Europe incident is a reminder that HR and payroll systems are not just internal back office. They are identity and finance control planes. Even the uncertainty around whether CVE-2026-35273 has been patched, noted by The Register, is itself a governance issue: it suggests a window where exposure can persist across “vulnerable instances,” not just vulnerable products. The second-order implication is brutal for enterprise risk programs: your blast radius depends on where PeopleSoft is deployed, who can reach it, how quickly patches propagate through environments, and whether you can detect exploitation during that May 27 to June 9 style window.

If your organization runs PeopleSoft, or relies on vendors running HR and payroll platforms, the headline is the warning label. The body is the map. ShinyHunters is turning a specific CVE into a global campaign, and data types like banking, tax, medical, and payslips are the kind that don’t just trigger incident response, they trigger fraud workflows. The strategic stake is simple: the next “investigating” statement from a major org is only a question of time, unless your patch, logging, and containment discipline can keep up with attackers who treat HR as a high-value database, not a sleepy system.