Back to Blog
high severity June 13, 2026 · scope unconfirmed

coe.int Listed by shinyhunters Ransomware Group

Over 297 GB of Council of Europe HR and payroll data (429,000+ files) was compromised across the Secretariat, Directorate of Human Resources, Parliamentary Assembly, EDQM, permanent and temporary staff, interpreters, conference services, language booth units, and payroll administration, including 409,000+ payslips for 10,000+ staff from 2011 to 2026, 14,000+ CVs and 3,700+ in-house personnel files, 10,700+ per-employee document stores, contract and purchase order records, mission travel overpayments, interpreter scheduling and 2026 salary scales, Blue List rosters, absence and illness reports,

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity High
Disclosed June 13, 2026
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On June 13, 2026, the shinyhunters ransomware group listed the Council of Europe on its leak site after exfiltrating more than 297 GB of internal HR and payroll files containing 429,000+ documents.

Confirmed Details from Reporting

Public reporting indicates the compromised data spans the Council of Europe Secretariat, Directorate of Human Resources, Parliamentary Assembly, European Directorate for the Quality of Medicines (EDQM), and related support units. The files include 409,000+ payslips covering more than 10,000 permanent and temporary staff, interpreters, and conference services personnel from 2011 through 2026.

Additional records encompass 14,000+ CVs, 3,700+ in-house personnel files, 10,700+ per-employee document stores, contract and purchase order records, mission travel overpayments, interpreter scheduling details, 2026 salary scales, Blue List rosters, absence reports, and illness documentation. The sheer volume and sensitivity of these records make this one of the more significant exposures of European institutional personnel data in recent years.

Why This Matters for You and Your Family

When an organization that processes employment, salary, and personal identification data for thousands of people suffers a breach, the ripple effects reach far beyond the immediate victims. If you or anyone in your household has ever worked with European institutions, applied for roles there, or had family members whose payroll or travel records passed through these systems, your information may now sit in an attacker-controlled archive.

Names, addresses, dates of birth, salary histories, bank details tied to reimbursements, and medical absence notes can be combined with other publicly available fragments to build detailed profiles. For ordinary families this often translates into increased risk of identity theft, targeted phishing, or fraudulent loan applications opened in your name.

The Doxxing and Identity-Chain Risks

HR and payroll leaks rarely stay isolated. Attackers routinely cross-reference employee CVs, interpreter rosters, and contact lists with gaming usernames, social-media handles, and family-member emails. A single exposed work address or spouse’s name can link a professional identity to personal accounts in hours.

Credential leaks like this one cascade into account takeovers and doxxing chains, especially when children’s gaming accounts reuse an email address that appears in a parent’s personnel file. Once the chain is mapped, extortion demands or public shaming become straightforward for the attackers.

Shinyhunters’ Publicly Known Track Record

Public reporting attributes the shinyhunters group with emerging in 2020 and focusing primarily on data theft and extortion rather than full-system encryption. Notable prior victims include several large consumer-facing services and government-adjacent contractors. Their typical playbook involves initial access through compromised credentials or third-party suppliers, quiet exfiltration of sensitive databases, followed by publication deadlines on dedicated leak sites to pressure targets into payment. In many cases they release small samples before threatening full dumps if ransoms remain unpaid.

What to do

  • Run a DoxxScan to map every link between your handles, emails, phone numbers, and real identity, then use the no-subscription cleanup to remove what you can.
  • Rotate any password you ever used at coe.int or related Council of Europe services, and enable 2FA through an authenticator app everywhere that password was reused.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next exposure of your data is caught and acted on in hours rather than months.
  • Cover the household with DoxxScan family protection that extends to dependents and children’s gaming accounts that often chain back to the same addresses or emails appearing in payroll files.
  • Let remediation specialists handle takedown requests across data brokers and leak repositories while you focus on securing day-to-day accounts.

The incident underscores that even respected international bodies can become targets, leaving ordinary families exposed to long-term identity risks. Start your DoxxScan trial today for continuous monitoring across 15.4B+ breach records and 100+ platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and full household coverage including children’s gaming accounts. Taking these steps now can limit the damage from this breach and reduce the chance that future leaks escalate into personal crises.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.