ShinyHunters claims to have breached the Council of Europe and stolen more than 297 GB of data after exploiting a zero-day flaw in Oracle PeopleSoft and abusing that hole to hack more than 100 organizations. According to a post on the extortion crew’s data-leak site, the 429,000 pilfered files contain HR and payroll records, payslips, purchase-order records, CVs, and employees’ salary, banking, tax, and medical records. A Council of Europe spokesperson told The Register that it is “currently investigating the matter and assessing the situation,” but declined to comment further. A spokesperson for the cybercrime group told us that the Council is yet another victim of the Oracle PeopleSoft heist. Oracle has yet to respond to The Register’s inquiries, and it's unclear if the vulnerability, tracked as CVE-2026-35273, has been patched. ShinyHunters previously told us that the gang exploited the CVE to compromise more than 100 organizations across 300 vulnerable instances, and that these victims included the University of Nottingham. Last week, the crims listed the UK uni on their leak site, then dumped data belonging to around 454,600 current and former students, including personal and academic records. Meanwhile, a Google threat report published late last week noted malicious activity, “consistent with the exploitation of CVE-2026-35273,” between May 27 and June 9, and said that its incident responders notified more than 100 global orgs “whose IP addresses correlated with potentially vulnerable endpoints." Most of these are US-based organizations, and 68 percent operated within the higher education sector. This latest heist follows another ShinyHunters intrusion targeting data belonging to university and K-12 students, teachers, and staff. In mid-May, ed-tech giant Instructure said it “reached an agreement” - this is corporate-speak for “paid the ransom demand” - with the data theft and extortion crew after ShinyHunters breached its Canvas digital learning platform and accessed data tied to 275 million students, teachers, and staff. In March, ShinyHunters claimed it stole data from K-12 software provider Infinite Campus as part of a broader wave of Salesforce-related intrusions. The ed tech company did not pay up, and the group subsequently published data they claim was stolen from Infinite Campus, including 137,000 individuals’ email addresses along with names, phone numbers, physical addresses and support tickets. Infinite Campus, in its data breach notification, said that the leaked files largely consisted of “names and contact information for school staff" and that “the majority is directory information commonly found on school websites.” ®

“Marco Fassoni Accetti è il nuovo indagato per la scomparsa di Emanuela Orlandi”: a scriverlo è il quotidiano Repubblica. Mentre si attendono conferme ufficiali, il controverso fotografo romano sarebbe “nel mirino della Procura di Roma” che da tre anni ha riaperto le indagini sulla cittadina vaticana misteriosamente sparita a Roma il 22 giugno del 1983. Nell’ambito di questa inchiesta, la terza su Emanuela Orlandi, ricordiamo che c’è già una persona iscritta nel registro degli indagati, Laura Casagrande.

Le indagini della Procura di Roma

“Accetti è di nuovo indagato per quella scomparsa (di Emanuela, ndr). Il sospetto è che il fotografo romano possa aver fatto parte di una rete di adulti dedita all’adescamento di adolescenti da mettere a disposizione di terzi”, scrive Repubblica. In questa prospettiva sembra quindi prendere forza, rispetto al rapimento della Vatican Girl, la pista della pedofilia già emersa in passato. Rapitore, telefonista, carceriere: per anni Accetti, oggi 70enne, si è attribuito più ruoli nella vicenda di Emanuela Orlandi e anche in quella di Mirella Gregori, che è stata associata alla Orlandi, all’epoca dei fatti (in seguito ai comunicati di fantomatici rapitori). I magistrati già nel 2013, hanno archiviato le sue dichiarazioni definite dagli inquirenti una “sceneggiatura fantasiosa”. In quella occasione, Accetti si autoaccusò davanti ai pm di essere stato il rapitore sia di Emanuela che di Mirella e fu bollato come inattendibile. Ma adesso le cose sembrano cambiate, forse proprio in seguito alla lunga audizione di Accetti davanti alla commissione di inchiesta Orlandi-Gregori. E alcuni casi di scomparsa che hanno segnato la Roma degli anni ’80 potrebbero essere riletti dai magistrati in una nuova prospettiva. “Il ruolo di Accetti continua a essere valutato con estrema cautela dagli investigatori ma oggi si colloca in un quadro più ampio e differente. Quello che i pm stanno verificando non riguarda più solo l’attendibilità delle sue auto accuse”
(fonte: Repubblica). “I carabinieri del Nucleo investigativo di via In Selci stanno ascoltando molti testimoni già sentiti all’epoca e cercandone di nuovi (…)I magistrati stanno inoltre raccogliendo dichiarazioni di uomini e donne che all’epoca erano adolescenti e che oggi raccontano di aver conosciuto il fotografo attraverso la promessa di shooting. L’obiettivo è capire se li accompagnasse in abitazioni private o li introducesse a persone sconosciute” (fonte: Repubblica).

Le novità dell’inchiesta e il caso Garramon

Sempre secondo quanto riporta Repubblica, la novità più evidente delle nuove indagini romane riguarda gli accertamenti su Accetti estesi anche alla scomparsa di Mirella Gregori e ad altri misteri romani di quegli anni. “Il vero punto di rottura dell’indagine coordinata dal pm Stefano D’Arma porta all’Eur, alla Pineta di Castel Porziano e alla morte di un ragazzino di 13 anni, Josè Garramon” fonte: Repubblica). La morte di Garramon risale allo stesso periodo delle misteriose scomparse di Emanuela e Mirella (20 dicembre 1983) ed è stato l’’unico crimine per cui Accetti è stato condannato in via definitiva, per il reato di omicidio colposo e omissione di soccorso. A travolgere il corpo del ragazzino, figlio di un diplomatico uruguaiano, fu proprio Accetti a bordo del suo furgone Ford Transit. Resta un punto oscuro e inspiegabile tuttavia come il bambino, che si era allontanato da casa per andare dal barbiere all’Eur, fosse riuscito ad arrivare quel giorno da solo e al buio in una pineta a 20 chilometri da casa. Chi lo portò a Castel Porziano quel giorno e perché? Ed è proprio alla luce di queste mai risolte incongruenze che i magistrati romani potrebbero voler indagare, per risalire a un ruolo di Accetti nel contesto romano di quegli anni, andando ben oltre l’aura di mitomane depistatore che ha avvolto la sua persona in questi 43 anni.

L’amerikano e Katty Skerl

Secondo quanto riporta Repubblica, i Carabinieri stanno cercando di fare chiarezza anche sulle telefonate dell’Amerikano, l’uomo dall’accento straniero che telefonò a casa di Emanuela Orlandi dell’estate del 1983, identificandosi come il rapitore della ragazza. Accetti, lo ricordiamo, si è autoaccusato anche di essere l’Amerikano. Scopo delle nuove indagini è “stabilire se dietro quelle voci alterate e quelle missive possa esserci stata la mano o la voce di Accetti”, scrive Repubblica. Le autoaccuse di Marco Accetti non si sono limitate ai casi Orlandi e Gregori ma hanno coinvolto anche un altro cold case romano: l’omicidio irrisoolto di Katty Skerl. La 17enne fu ritrovata strangolata in una vigna a Grottaferrata nel gennaio 1984. Nel 2013, Accetti srisse sul suo blog che la bara della ragazza era stata trafugata dal cimitero del Verano e collegò il macabro furto al caso di Emanuela Orlandi. Le sue dichiarazioni caddero nel vuoto ma nel 2022, la Procura dispose l’apertura del loculo che fu ritrovato in effetti vuoto: la bara di Katty era stata realmente rubata. Alla commissione parlamentare d’inchiesta Orlandi-Gregori che lo ha audito per ben sette ore, Accetti ha anche consegnato un lunghissimo memoriale. Dopo 43 anni forse è davvero arrivato il momento di vagliare tutte le confessioni e i racconti di Accetti per chiarire se abbia avuto ruolo in queste oscure vicende, o se sia stato solo un depistatore di professione.

L'articolo “Marco Fassoni Accetti è il nuovo indagato per la scomparsa di Emanuela Orlandi, faceva parte di una rete dedita all’adescamento di adolescenti”: la svolta nelle nuove indagini della Procura di Roma proviene da Il Fatto Quotidiano.

Data theft and extortion group ShinyHunters has exploited a critical Oracle PeopleSoft bug as a zero-day to compromise more than 100 organizations, including the University of Nottingham, across 300 vulnerable instances. A spokesperson for the cybercrime crew on Thursday told The Register that they exploited CVE-2026-35273 to break into the university’s PeopleSoft system and steal 40 GB of personal data and billing records belonging to hundreds of thousands of current and former students. ShinyHunters posted the UK university on its data leak site on Tuesday before publishing the stolen files later that same day, presumably because the school refused to pay the extortion demand. “University of Nottingham on our leak site is one of the first publicly confirmed incidents,” a ShinyHunters spokesperson told us. “We have only just started outreach to affected orgs and are actively looking to reach an agreement with affected orgs.” They didn’t say when they planned to post the other 100 or so claimed victims. A Google threat intelligence report published Thursday afternoon corroborated ShinyHunters’ claims to have compromised more than 100 organizations. Google said it spotted malicious activity, “consistent with the exploitation of CVE-2026-35273,” between May 27 and June 9, and notified more than 100 global orgs “whose IP addresses correlated with potentially vulnerable endpoints." Most of these, we’re told, are based in the US and 68 percent are in the higher-education sector. PeopleSoft is a widely used enterprise software suite that large corporations and institutions use to manage their human resources, payroll and billing applications, supply chains, and student records. CVE-2026-35273 is a 9.8 CVSS-rated vulnerability that allows remote, unauthenticated attackers with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools and fully take over the platform. On Wednesday, a day after ShinyHunters leaked the school’s data, the University of Nottingham confirmed the breach and Oracle issued an out-of-band security alert. It’s unclear, however, if the software provider has issued a patch to fix the security flaw. The Register reached out to Oracle, and did not receive any response to our questions. Google-owned Mandiant Chief Technology Officer Charles Carmakal, in a brief LinkedIn post on Thursday, warned that PeopleSoft was one of two zero-day vulnerabilities “actively being exploited in the wild.” “Oracle released mitigations,” Carmakal wrote. “Patches should come soon.” The other zero-day, for the record, is this Cisco Catalyst SD-WAN Manager vulnerability.®

Great Marlow School in Buckinghamshire, England, has entered its second day of a shutdown following "a suspected malware incident." Only students sitting their GCSE and A-level exams – those in Years 11 and 13 – were permitted to attend on Wednesday, in line with their exam timetable, and the same goes for Thursday. Students in other years (Years 6-10 and Year 12) were told to stay at home and access what revision materials they can via Microsoft Teams as teachers are currently unable to set them any work. Those scheduled to take internal mock exams, students in Years 10 and 12, will sit them later in the year. Some extracurricular activities, such as Year 7's learn-to-row session, have been rearranged, although the 7 and 8 athletics event will go ahead on Thursday as planned. Great Marlow School's statement suggests it remains in the containment stage of its recovery, with limited access to systems. "As a precautionary measure, we have restricted access to elements of our network while we investigate the issue thoroughly and take the necessary steps to ensure the security and integrity of our systems and data," headteacher Guy Pendlebury said in a statement on the school's website on Tuesday evening. "We are responding in line with guidance from the Department for Education (DfE) and the National Cyber Security Centre (NCSC). Immediate action has been taken to contain the incident, and we are working closely with specialist IT and cybersecurity professionals to fully assess the situation and restore normal operations as quickly and safely as possible. Appropriate reporting procedures have also been followed." The school did not comment on whether the attack involved ransomware or if any of its data was presumed compromised. It adds to a grim week for cybersecurity in the education sector. A high school in Illinois also closed for two days this week due to a ransomware attack, but reopened on Wednesday, although its phone lines are still down. And Nottingham Uni confirmed it was the victim of Shiny Hunters. In Wales, 13 schools across the Powys region were affected by a cyberattack that is thought to have led to data theft from only one of these institutions. Powys council disclosed the attack on June 4, saying it was originally identified in April, and sensitive data belonging to students and school staff is suspected of being compromised. None of the 13 schools have closed, however. ®

The University of Nottingham has confirmed a cyberattack on its student record system after the ShinyHunters crew claimed to have stolen tens of gigabytes of data from the Russell Group institution. "The University of Nottingham has been the victim of a cyber incident and a significant amount of data in our student record system has been accessed by a well-known cybercriminal group," a spokesperson told The Register. "We are working with the third party that maintains the platform to lead a forensic investigation. We understand that those affected will have concerns about what this means for their personal data and we will be offering advice and support to our students as we learn more. "We take the privacy and security of data that we hold seriously, and we have reported this incident to Action Fraud and the Information Commissioner's Office. The university will continue to provide them with further information as our investigation progresses." ShinyHunters claimed responsibility for the attack on Tuesday, saying they had stolen around 40 GB of the institution's data. It reckons this included billing and payment records, credit card and payment details, student finance data, and "campus portal exports." The criminal crew further claimed that the University of Nottingham's Malaysia and China campuses were also compromised. On Wednesday evening, breach notification service Have I Been Pwned added the 10 GB dataset leaked by ShinyHunters to its database, saying around 454,600 university-related email addresses were included. "Tens of gigabytes of data were subsequently published online and included 455k unique email addresses along with extensive personal information, including names, addresses, phone numbers, ethnicities, disabilities, passport numbers, and information relating to academic enrolments and fee payments," HIBP stated. Around the same time, the university acknowledged the attack publicly, saying it affected both current students and alumni. Individuals believed to be affected have been contacted directly, and the university has stood up a dedicated support line. The attack could hardly have come at a worse time for Nottingham, which is embroiled in a dispute with staff after confirming hundreds of redundancies over the next three years. University employees, including teaching staff, have revolted, protesting against the decision by refusing to mark students' assessments. The University and College Union (UCU) entered a period of industrial action on June 1, saying it would not end until July 31. This includes a two-month strike and a boycott of marking duties, similar to action taken by staff in 2022 and 2023. Students have just finished sitting their end-of-year exams, but potentially face having their degree classification decided by predictions based on prior grades, per the university's contingency plans, if staff continue to refuse to carry out marking duties. Alternatively, students can wait to receive their final results, but these will come later than their peers' – not just at Nottingham but at other UK universities – and leave them at a time disadvantage when applying for graduate schemes and entry-level jobs. UK education battered The attack on the University of Nottingham comes amid a spate of other incidents affecting UK schools. Powys council confirmed on June 4 that a cyberattack was affecting 13 schools in the Welsh county, and that data had been stolen from at least one of them. Additionally, Great Marlow School in Buckinghamshire entered its second day of a shutdown today after a "suspected malware attack" on the school forced it into a containment phase. Most students, other than those attending to take their GCSE and A-level exams, have been told to stay home, with teachers unable to set remote work. Students should access what revision materials they can via the school's Microsoft Teams network. ®