Council of Europe Confirms It Is Investigating Reported Breach Claims
The Oracle PeopleSoft campaign coverage extends into a major European intergovernmental institution.
Key Takeaways
|
The Oracle PeopleSoft campaign coverage extends into a major European intergovernmental institution.
STRASBOURG — The Council of Europe confirmed on or around June 15, 2026 that it is investigating reported breach claims, after the extortion group ShinyHunters publicly listed the Strasbourg-based intergovernmental organization as a victim. In a brief statement quoted by security reporters, the Council said it was assessing the situation and had no further comment at this stage, stopping short of confirming any of the specifics circulating in public reporting.
The disclosure matters partly because of which institution is involved and partly because of the campaign it appears to extend. Reporting links the claimed intrusion to the broader Oracle PeopleSoft campaign that researchers have documented over the past two weeks — the same campaign behind a string of recent victims tracked in our coverage of ShinyHunters' Oracle PeopleSoft zero-day. The Council's confirmation is, for now, an acknowledgement that it is investigating, not a validation of the attacker's claims.
| At a Glance | |
|---|---|
| Field | Details |
| Institution | Council of Europe (Strasbourg) — intergovernmental human-rights body, distinct from the Council of the EU |
| What | Council confirms it is investigating reported breach claims |
| Attributed to (reported) | ShinyHunters extortion group (per public reporting) |
| Campaign context | Broader Oracle PeopleSoft campaign; 100+ organizations reportedly affected |
| Underlying CVE | CVE-2026-35273 (Oracle PeopleSoft / PeopleTools, critical) |
| Status | Under investigation; specifics unconfirmed by the Council |
What the Council of Europe Confirmed
The Council of Europe's confirmation is narrow and carefully worded. According to security reporting, the organization said it was "currently investigating the matter and assessing the situation" and had "no further comment to make at this stage." That phrasing acknowledges an active investigation without endorsing any of the figures or data categories that the attacker has publicly asserted. As of this writing, the Council has not published an independent technical account, named a confirmed access path, or stated whether any personal data was actually exposed.
It is worth being precise about which institution this is. The Council of Europe is a 46-member intergovernmental organization headquartered in Strasbourg, founded in 1949, best known for the European Convention on Human Rights and the European Court of Human Rights. It is a separate body from the Council of the European Union (an EU institution where member-state ministers meet) and from the European Council (the EU body of heads of state and government). The similarity of the names routinely causes confusion, but the organization at the center of these reported breach claims is the human-rights body, not an EU institution.
What ShinyHunters has claimed — and what reporting has relayed rather than verified — is a large theft of internal records. Public reporting describes the group asserting it took hundreds of gigabytes of data and hundreds of thousands of files spanning HR, secretariat, and other functions, and threatening to leak the material. Those figures originate with the attacker. The Council's own confirmation extends only to the fact of an investigation, and the gap between the two is the central caveat of this story.
The Continuation Context — Oracle PeopleSoft Campaign Coverage
The reported Council of Europe intrusion does not stand alone. Public reporting frames it as the latest disclosure in a broader campaign that researchers have tracked through early June, in which the ShinyHunters extortion group reportedly exploited a critical Oracle PeopleSoft zero-day to reach more than 100 organizations. The CyberSignal first covered that campaign in its reporting on the Oracle PeopleSoft zero-day and the higher-education sector, and the Council disclosure reads as a continuation of that thread rather than a new and unrelated event.
The technical anchor of the campaign is CVE-2026-35273, a critical vulnerability in Oracle's PeopleSoft Enterprise PeopleTools. Reporting describes it as a remotely exploitable flaw requiring no authentication, which Oracle addressed in an out-of-band security alert in early June. Google Threat Intelligence Group, drawing on Mandiant's incident work, documented exploitation activity and notified the affected organizations; reporting indicates that the bulk of the notified entities were in the United States and that a large share sat in the higher-education sector. Whether PeopleSoft is the confirmed access path into the Council of Europe specifically has not been established — that linkage is reported context, not a confirmed finding.
ShinyHunters is a familiar name in this kind of coverage. The group's recent activity has run through a series of extortion-driven data thefts that the CyberSignal has tracked across very different targets, from a media platform to a telecom and a cruise operator. The pattern is consistent: claim a large dataset, list the victim on a leak site, and apply a deadline. The Council of Europe disclosure fits that template, which is exactly why the figures attached to it should be read as claims pending verification.
Sector Advisory for European Public-Sector PeopleSoft Users
For European public-sector and intergovernmental bodies running Oracle PeopleSoft, the practical takeaway is independent of whether the Council of Europe claims hold up in detail. The campaign that reporting ties to this disclosure exploited a known, patched, critical vulnerability in widely deployed enterprise software. Any organization operating PeopleSoft Enterprise PeopleTools should confirm it is on a fixed build, treat CVE-2026-35273 as a priority remediation, and review whether its PeopleSoft web tier is reachable from networks that do not need access to it.
Public-sector HR and payroll systems are an attractive target precisely because of what they hold: payslips, contracts, identity documents, banking details, and records on staff and applicants going back years. Reporting on the Council claims emphasizes exactly this category of data. Institutions in similar positions can use this disclosure as a prompt to verify logging and retention on their HR platforms, to confirm that access to those systems is segmented and monitored, and to rehearse the notification obligations that would apply if a confirmed exposure occurred.
The advisory framing here is deliberate. Because the access path into the Council specifically is not confirmed, the durable lesson is not "this is how the Council was breached" but "this class of system, running this class of software, is being actively targeted." Treating the PeopleSoft advisory as a high-priority patch-and-hardening cycle is the action that holds regardless of how the Council's own investigation resolves.
What the Council's Investigation Will Determine Next
The Council's investigation will have to answer the questions its initial statement deliberately left open. The first is whether a breach occurred at all in the form claimed, and if so, what was actually accessed versus what the attacker has asserted. Attacker-stated file counts and data volumes are frequently inflated or padded with previously leaked or duplicated material, so an independent assessment of the dataset's authenticity and scope is the natural next step.
Beyond confirmation, the investigation will need to establish the access path — whether the reported PeopleSoft exposure is in fact how any intrusion occurred — and the timeline, including when access was first obtained and when it was contained. For an organization that processes personal data on staff, contractors, and applicants across many member states, the determination of whether personal data was exposed also carries notification consequences. Whether and when the Council notifies affected individuals or member states is, at this stage, unresolved and unstated.
None of those determinations is available yet, and the Council has signaled it does not intend to comment further while the work is ongoing. That is an ordinary posture for the early phase of an incident, but it means the most consequential facts — scope, access path, data categories, and notification — remain reported claims rather than confirmed findings. The responsible reading is to treat the confirmation of an investigation as the established fact and everything attached to the attacker's claims as pending.
Open Questions
Several questions are worth keeping in view as the investigation proceeds. The volume of records and the categories of data remain reported, not confirmed; the figures in circulation originate with ShinyHunters. Whether Oracle PeopleSoft is the confirmed access path into the Council has not been established, even though the broader campaign provides the framing for the disclosure. The incident-response timeline, the question of whether other intergovernmental or public-sector bodies were affected in the same wave, and any member-state notification are all open.
What is firmly established is narrower but still significant: a major European intergovernmental institution has publicly confirmed it is investigating reported breach claims, and reporting situates that disclosure within an active, well-documented campaign exploiting a critical Oracle PeopleSoft vulnerability. For the wider audience tracking ShinyHunters' extortion activity — including the recent disclosures involving Vimeo, Charter Spectrum, and Carnival Cruise Line — the Council of Europe disclosure is best read as a developing incident: confirmed at the level of an investigation, unconfirmed in its specifics, and worth following as the verified facts catch up to the claims.
