Council of Europe

ShinyHunters claimed a breach of the Council of Europe, exfiltrating 429,000 files totaling 297GB. The Council of Europe is an international organization founded in 1949, headquartered in Strasbourg, with 46 member states. It focuses on human rights, democracy, and rule of law across Europe.

The breach targeted HR systems, exposing payslips, personnel records, CVs, and financial information for staff working across the organization's operations.

Payslips revealing salaries, deductions, and banking details. HR records containing employment history, performance reviews, and personal information. CVs with career histories, contact details, and educational backgrounds. Financial information related to employee compensation and benefits.

429,000 files represents comprehensive personnel documentation accumulated over years of operations. The Council employs thousands of staff across its Strasbourg headquarters and field operations—each with extensive HR documentation now potentially exposed.

Council of Europe employees whose salaries, banking details, and career histories are now exposed. Staff who work on sensitive human rights issues—some of whom may face risks in certain member states—whose employment is now documented in leaked files.

International organization staff often come from diverse backgrounds. CVs reveal citizenship, education, and career paths. For staff from countries with authoritarian governments, employment with a human rights organization creates personal risk that exposed personnel files compound.

International organizations operate under frameworks designed to protect their operations and personnel. The Council of Europe maintains IT security appropriate for diplomatic and legal work. They handle sensitive human rights documentation regularly.

But HR systems often receive less security focus than operational systems. Payroll, personnel files, and CVs are "administrative" rather than "sensitive"—until they're breached. The data that enables employment is also the data that creates exposure.

HR systems accumulate decades of personnel files. Past employees, applicants, contractors, seconded staff from member states. Payslips from years of operations. CVs submitted by applicants who were never hired. The data footprint of a 75-year-old organization is substantial.

429,000 files suggests historical depth far beyond current employment. How long should payslips be retained? Why do CVs from 2010 applicants still exist in accessible systems? Without data inventory and retention enforcement, administrative systems become breach liability.

International organizations operate under special legal frameworks. The Council of Europe has headquarters in France but operates across 46 member states. Staff come from across Europe. Notification obligations span multiple jurisdictions.

Beyond legal obligations, the reputational impact matters. An organization focused on human rights and rule of law has suffered a breach exposing the personal data of staff who work on those issues. The irony isn't lost on adversaries or observers.