ShinyHunters, a data theft and extortion group, claims 297 GB of records including salary, banking, tax, and medical data; researchers say 68% of victims are universities, and Oracle has not confirmed a patch.
The Council of Europe confirmed Monday it is investigating a breach of its internal systems, an institutional anchor for what researchers describe as a single-vulnerability campaign against more than 100 organizations running Oracle's PeopleSoft HR and payroll platform. The 46-member human-rights body, headquartered in Strasbourg, joins the University of Nottingham, where roughly 454,600 students were affected in a related intrusion, as the only named victims on the record so far.
ShinyHunters, a data-theft and extortion group, told The Register it exploited a previously unknown flaw in PeopleSoft, tracked as CVE-2026-35273, to exfiltrate approximately 297 gigabytes and 429,000 files from the Council of Europe's environment. The group claims the cache includes HR and payroll records, payslips, purchase-order documents, CVs, and employee salary, banking, tax, and medical records, categories that go well beyond credential theft and into the kind of data employers are expected to keep confidential (The Register).
The Council of Europe spokesperson confirmed only that the organization is "currently investigating the matter and assessing the situation" and declined further comment as of June 15. The 297 GB and 429,000 file figures remain attacker-attributed and await forensic confirmation from the victim.
The wider pattern is what makes this more than another ransomware story. According to reporting tied to a Google threat-intelligence notice, exploitation of the same PeopleSoft vulnerability ran from May 27 through June 9, with notifications sent to more than 100 organizations across roughly 300 vulnerable PeopleSoft instances. Sixty-eight percent of the notified organizations were in higher education, and most of the remainder sat in the United States, putting university CIOs and procurement officers directly in the affected population. Oracle has not responded to inquiries about CVE-2026-35273, and it remains unclear whether a patch has shipped.
PeopleSoft is Oracle's longstanding enterprise HR and payroll platform, common in large universities, government agencies, and multinational employers. A single unpatched flaw in software that centralizes salary, banking, tax, and medical data turns the usual "patch your servers" message into a data-protection problem with regulatory weight. In the Council of Europe's case, the data-protection officer of a 46-state body now sits between the organization and its staff, and the European Data Protection Supervisor has standing to weigh in on any EU-adjacent processing of those records.
The ShinyHunters pattern is not new. The same group has previously claimed responsibility for breaches at the University of Oxford via a career platform and at Instructure, the Canvas learning-management vendor, which paid a ransom. "Reached an agreement" and similar euphemisms do not undo the leak: the data, once taken, circulates, and the longer the vendor patch window stays open, the more the same records become a recurring liability for the affected organizations.
What to watch: whether Oracle confirms a patch for CVE-2026-35273 in an upcoming Critical Patch Update, what the Council of Europe's data-protection officer says about the data categories actually exposed, and whether the European Data Protection Board or France's CNIL opens a notification file given the Strasbourg seat. The empirical question for security teams is whether higher education and other PeopleSoft operators treat a confirmed 100+ organization breach as the prompt to inventory every PeopleSoft instance they own, or treat it as another Monday morning line item.