Wave of Data Leaks: ShinyHunters Breaches Council of Europe, Ransomware Hits Global Schools Foundation
data-breach shinyhunters security have-i-been-pwned global-schools-foundation council-of-europe
trending_up Trend: data-breach

Wave of Data Leaks: ShinyHunters Breaches Council of Europe, Ransomware Hits Global Schools Foundation

calendar_month June 17, 2026

Wave of Data Leaks: ShinyHunters Breaches Council of Europe, Ransomware Hits Global Schools Foundation

Summary

A series of significant cyberattacks and data leaks has disrupted international bodies, educational institutions, and millions of individuals over the past week. Key incidents include a suspected breach at the Council of Europe claimed by the cybercrime syndicate ShinyHunters, a major ransomware attack on the Singapore-based Global Schools Foundation by FulcrumSec, and the inclusion of the massive “June 2026 Stealer Logs” dataset (comprising 56 million email addresses) into the Have I Been Pwned platform. These events underscore the persistent risks posed by zero-day exploits and infostealer malware.

What happened?

Three major security incidents have unfolded recently:

  • Council of Europe: Over the weekend of June 13–14, 2026, the ShinyHunters group claimed responsibility for breaching the Council’s network, exfiltrating 297 GB of data containing over 429,000 files. Compromised records include HR and payroll data of over 10,000 staff members spanning 2011 to 2026. The group reportedly exploited a zero-day vulnerability in Oracle’s PeopleSoft software.
  • Global Schools Foundation (GSF): GSF, a network of international schools based in Singapore, fell victim to a ransomware attack by FulcrumSec. The attackers allegedly exfiltrated 4.8 TB of data, including student passport numbers, staff-parent communications, and salary logs. GSF confirmed the cybersecurity incident and stated that their systems have since been restored.
  • Have I Been Pwned (HIBP): The service added a dataset named “June 2026 Stealer Logs,” consisting of approximately 56 million unique email addresses and 124 million unique passwords harvested by infostealer malware from compromised user devices worldwide.

Why it matters

These breaches highlight different critical threat vectors. The Council of Europe incident demonstrates the severe risk that zero-day vulnerabilities in enterprise application suites (like PeopleSoft) pose to high-profile political and administrative entities. The ransomware attack on GSF reflects an escalating trend of cybercrime targeting the EdTech and education sector, exposing sensitive information belonging to minors. Finally, the HIBP stealer log dump exposes the staggering volume of credential harvesting via malware on end-user machines, bypassing traditional server-side security.

Evidence

  • ShinyHunters: The threat actors listed the Council of Europe on their dark web leak portal, setting an ultimatum of June 16, 2026.
  • GSF Breach: FulcrumSec claimed the attack online, and Singapore’s Personal Data Protection Commission (PDPC) along with the Cyber Security Agency (CSA) confirmed they are investigating the incident.
  • HIBP Update: Troy Hunt officially announced the addition of the 56 million credentials to HIBP’s searchable database.

Analysis

The alleged exploitation of a PeopleSoft zero-day shows that even highly secure intergovernmental organizations struggle to defend against sophisticated zero-day campaigns. For educational institutions, networks like GSF are highly targeted because they store rich personal histories of families and children while often operating with fewer cybersecurity resources than commercial enterprises. The rise of infostealer logs further indicates that cybercriminals are pivoting toward end-user endpoints as an initial access vector into corporate networks (BYOD risks).

Practical Takeaways

  • For Enterprises: Immediately audit and patch software suites like Oracle PeopleSoft. Implement strict network segmentation and identity management.
  • For Schools & EdTech: Fortify data storage policies, especially concerning student identity documents, and ensure offline backups are maintained.
  • For End-Users: Search your emails on “Have I Been Pwned”. If compromised, change your passwords immediately, enable multi-factor authentication (MFA) everywhere, and perform a full malware scan on all personal devices to remove potential infostealers.

Open Questions

  • Will the Council of Europe negotiate with ShinyHunters, or will the exfiltrated HR files be leaked to the public?
  • How many other organizations using PeopleSoft are currently compromised by the same zero-day vulnerability?
  • What actions will regulators take to mandate stronger endpoint protection standards for school networks storing student passports?

Sources

  1. SecurityWeek: Council of Europe Investigating Data Theft Claims by ShinyHunters
  2. Cybernews: ShinyHunters Targets Council of Europe
  3. The Straits Times: Global Schools Foundation Hit by Cybersecurity Incident
  4. Channel NewsAsia: Singapore Authorities Investigate GSF Breach
  5. Have I Been Pwned: June 2026 Stealer Logs Added
  6. Golem: Millions of Credentials Leaked in Stealer Logs