"The University of Nottingham has been the victim of a cyber incident and a significant amount of data in our student record system has been accessed by a well-known cybercriminal group," the university told reporters, confirming a breach that the institution says touches both current students and alumni.
University response and the ongoing forensic inquiry
The University of Nottingham said it is "working with the third party that maintains the platform to lead a forensic investigation" after confirming that a hacking group gained access to its student records system. The university also stated it has reported the incident to the UK's Information Commissioner's Office and to Action Fraud. The institution has not publicly attributed the attack; however, a cybercrime group has claimed responsibility.
Scale of the breach and the types of data exposed
Independent analysis cited by the reporting shows the breach affects 454,600 former and current students. The notification service Have I Been Pwned said the leaked material includes email addresses and "extensive personal information" such as names, home addresses, phone numbers, dates of birth, ethnicities, disabilities, passport numbers, and details related to academic enrolments and fee payments.
The ShinyHunters extortion gang, which claimed responsibility, said on its dark web leak site that it stole more than 40GB of documents. According to the group’s post and the university’s statement to reporters, the archive allegedly contains student finance data, billing and payment information, credit card and payment details, campus portal exports, and items tied to the university’s Malaysia and China campuses. The group also stated the documents include IP addresses for affected students.
ShinyHunters and a wider Oracle PeopleSoft campaign
BleepingComputer places the Nottingham incident within a wider spree: ShinyHunters has reportedly stolen data from more than 100 organizations after breaching cloud and on-premises Oracle PeopleSoft instances. PeopleSoft is described in the reporting as an enterprise business software suite used for large-scale operations including human resources, finance, payroll and campus administration.
ShinyHunters told BleepingComputer it is leveraging a "gadget chain" of zero-days and older vulnerabilities in these attacks, and that the exploit approach does not work on all systems — success depends on each PeopleSoft instance’s configuration. BleepingComputer also said it reached out to Oracle for confirmation of an actively exploited PeopleSoft zero-day but had not received a reply at the time of reporting.
Other recent UK university disclosures
The Nottingham disclosure follows other higher-education data incidents disclosed recently in the UK. The University of Oxford revealed last week that its CareerConnect platform had been compromised on May 28. Oxford also reported an earlier breach in early May linked to ShinyHunters’ theft from Instructure’s Canvas learning management system, per the reporting.
What this means for technologists, regulators, and affected students
- Technologists and security teams: the reporting highlights PeopleSoft instances as a recurring target; teams responsible for PeopleSoft deployments will focus on configuration, patching and forensic review because ShinyHunters said successful exploitation varies by instance configuration and uses a mix of zero-days and legacy flaws.
- Regulators and law enforcement: the university has already notified the Information Commissioner’s Office and Action Fraud, which places the incident into formal regulatory and criminal-reporting channels that will receive the university’s forensic findings and any follow-up evidence shared by the third-party platform maintainer.
- Affected students and alumni: with personal identifiers, passport numbers, payment card details and home addresses reported among the leaked files, those named in the disclosure will face elevated risk of fraud or identity misuse and will likely monitor financial accounts, communications and official notices from the university and regulators.
The immediate facts are straightforward: a major university’s student records system was accessed and a large trove of personal and financial records has been posted by a criminal group that ties the incident to a broader campaign against Oracle PeopleSoft deployments. Key next steps named in the reporting are the university’s forensic investigation led with its platform maintainer, the formal notifications to the Information Commissioner’s Office and Action Fraud, and unanswered technical questions — including Oracle’s assessment of an allegedly exploited PeopleSoft zero-day — that the reporting says remain unresolved.
Source: BleepingComputer — Nottingham University data breach affects over 450,000 students
