The Council of Europe, the continent's leading human rights organisation, has confirmed it was hacked by the notorious cyber-criminal group ShinyHunters. The attackers exploited a vulnerability in the organisation's Oracle PeopleSoft system, a widely used enterprise resource planning platform. The breach adds the Strasbourg-based body to a growing list of victims that includes the University of Nottingham and more than 100 other unnamed entities globally.
ShinyHunters, known for selling stolen databases on underground forums, reportedly accessed sensitive data including names, email addresses and possibly financial records. The group has previously claimed responsibility for breaches at major companies such as Microsoft and AT&T. Security experts warn that the PeopleSoft vulnerability at the centre of this attack — tracked as CVE-2024-21287 — has been widely discussed in hacker forums since a patch was released by Oracle in October 2024.
For UK businesses, the incident underscores the critical importance of patch management. Many organisations continue to run outdated versions of enterprise software, leaving them exposed to known exploits. Dr. Sarah Whitmore, a cybersecurity researcher at the University of Cambridge, commented: 'This is a classic case of a known vulnerability being weaponised. The real question is why so many organisations — including high-value targets like the Council of Europe — are still failing to apply timely security updates.'
The breach also has implications for UK consumers whose data may be held by European institutions. Under UK data protection law, the Information Commissioner's Office (ICO) can impose fines of up to £17.5 million or 4 per cent of global turnover for serious breaches. Meanwhile, the EU's Artificial Intelligence Act, which comes into full force in 2026, will impose stricter cybersecurity requirements on organisations using AI-driven systems — though it does not directly govern legacy software like PeopleSoft.
For the UK economy, the attack highlights the growing cost of cybercrime, which the government estimates costs British businesses £27 billion annually. Smaller firms that lack dedicated security teams are particularly vulnerable, as they often rely on the same enterprise software as larger organisations. The National Cyber Security Centre (NCSC) advises all UK organisations to prioritise patching critical vulnerabilities and to implement multi-factor authentication wherever possible.
Looking ahead, the ShinyHunters group is expected to auction or leak the stolen data in the coming weeks. Affected individuals should remain vigilant for phishing attempts and monitor their financial accounts. The Council of Europe has stated it is working with law enforcement and cybersecurity experts to assess the full scope of the breach.