coe.int Listed by shinyhunters Ransomware Group
Over 297 GB of Council of Europe HR and payroll data (429,000+ files) was compromised across the Secretariat, Directorate of Human Resources, Parliamentary Assembly, EDQM, permanent and temporary staff, interpreters, conference services, language booth units, and payroll administration, including 409,000+ payslips for 10,000+ staff from 2011 to 2026, 14,000+ CVs and 3,700+ in-house personnel files, 10,700+ per-employee document stores, contract and purchase order records, mission travel overpayments, interpreter scheduling and 2026 salary scales, Blue List rosters, absence and illness reports,
On June 13, 2026, the shinyhunters ransomware group listed the Council of Europe on its leak site after exfiltrating more than 297 GB of internal HR and payroll files containing 429,000+ documents.
Confirmed Details from Reporting
Public reporting indicates the compromised data spans the Council of Europe Secretariat, Directorate of Human Resources, Parliamentary Assembly, European Directorate for the Quality of Medicines (EDQM), and related support units. The files include 409,000+ payslips covering more than 10,000 permanent and temporary staff, interpreters, and conference services personnel from 2011 through 2026.
Additional records encompass 14,000+ CVs, 3,700+ in-house personnel files, 10,700+ per-employee document stores, contract and purchase order records, mission travel overpayments, interpreter scheduling details, 2026 salary scales, Blue List rosters, absence reports, and illness documentation. The sheer volume and sensitivity of these records make this one of the more significant exposures of European institutional personnel data in recent years.
Why This Matters for You and Your Family
When an organization that processes employment, salary, and personal identification data for thousands of people suffers a breach, the ripple effects reach far beyond the immediate victims. If you or anyone in your household has ever worked with European institutions, applied for roles there, or had family members whose payroll or travel records passed through these systems, your information may now sit in an attacker-controlled archive.
Names, addresses, dates of birth, salary histories, bank details tied to reimbursements, and medical absence notes can be combined with other publicly available fragments to build detailed profiles. For ordinary families this often translates into increased risk of identity theft, targeted phishing, or fraudulent loan applications opened in your name.
The Doxxing and Identity-Chain Risks
HR and payroll leaks rarely stay isolated. Attackers routinely cross-reference employee CVs, interpreter rosters, and contact lists with gaming usernames, social-media handles, and family-member emails. A single exposed work address or spouse’s name can link a professional identity to personal accounts in hours.
Credential leaks like this one cascade into account takeovers and doxxing chains, especially when children’s gaming accounts reuse an email address that appears in a parent’s personnel file. Once the chain is mapped, extortion demands or public shaming become straightforward for the attackers.
Shinyhunters’ Publicly Known Track Record
Public reporting attributes the shinyhunters group with emerging in 2020 and focusing primarily on data theft and extortion rather than full-system encryption. Notable prior victims include several large consumer-facing services and government-adjacent contractors. Their typical playbook involves initial access through compromised credentials or third-party suppliers, quiet exfiltration of sensitive databases, followed by publication deadlines on dedicated leak sites to pressure targets into payment. In many cases they release small samples before threatening full dumps if ransoms remain unpaid.
What to do
- Run a DoxxScan to map every link between your handles, emails, phone numbers, and real identity, then use the no-subscription cleanup to remove what you can.
- Rotate any password you ever used at coe.int or related Council of Europe services, and enable 2FA through an authenticator app everywhere that password was reused.
- Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next exposure of your data is caught and acted on in hours rather than months.
- Cover the household with DoxxScan family protection that extends to dependents and children’s gaming accounts that often chain back to the same addresses or emails appearing in payroll files.
- Let remediation specialists handle takedown requests across data brokers and leak repositories while you focus on securing day-to-day accounts.
The incident underscores that even respected international bodies can become targets, leaving ordinary families exposed to long-term identity risks. Start your DoxxScan trial today for continuous monitoring across 15.4B+ breach records and 100+ platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and full household coverage including children’s gaming accounts. Taking these steps now can limit the damage from this breach and reduce the chance that future leaks escalate into personal crises.
Related breaches
Kevin Bao Lenguyen Listed by play Ransomware Group
United States…
Forces Listed by medusalocker Ransomware Group
Organization with 28 emails extracted. Domain: ***.gc.ca…
azarestan.com Listed by apt73 Ransomware Group
azarestan.com (Azarestan Business Development Group) is a holding company based in Iran. Azaresta...…
A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.
⚠ Were you in this breach?
Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.
Check my email — free →