Major Data Breach Hits University of Nottingham, Affecting Hundreds of Thousands

The University of Nottingham confirmed on Wednesday that a cybercriminal group infiltrated its student records system, exposing sensitive personal data belonging to 454,600 current and former students across its UK, Malaysia, and China campuses. The university has reported the incident to the UK’s Information Commissioner’s Office (ICO) and Action Fraud.

ShinyHunters Claims Responsibility

The ShinyHunters extortion gang claimed responsibility for the attack on Tuesday, publishing an archive of allegedly stolen documents on their dark web leak site as proof. The group asserts it exfiltrated over 40GB of data, including student finance records, billing and payment information, credit card details, and campus portal exports.

According to ShinyHunters, the stolen dataset contains victims’ full names, home addresses, IP addresses, phone numbers, and dates of birth. Breach notification service Have I Been Pwned confirmed on Wednesday that the compromised records also include ethnicities, disabilities, passport numbers, and academic enrollment and fee payment information.

Part of a Broader Oracle PeopleSoft Campaign

The Nottingham breach is not an isolated incident. According to BleepingComputer, ShinyHunters has conducted a widespread data theft campaign targeting over 100 organizations worldwide by exploiting vulnerabilities in Oracle PeopleSoft instances — both cloud-hosted and on-premises.

PeopleSoft is an enterprise software suite widely used by large institutions to manage human resources, finance, payroll, and campus administration. ShinyHunters told BleepingComputer they are leveraging a “gadget chain” combining zero-day exploits and known vulnerabilities, though successful exploitation reportedly varies depending on each system’s configuration.

BleepingComputer has contacted Oracle to confirm whether the company is aware of an actively exploited PeopleSoft zero-day. No response has been received at time of publication.

A Growing Threat to UK Higher Education

Nottingham is the second UK university to disclose a breach within days. The University of Oxford revealed last week that its CareerConnect platform was compromised on May 28. Oxford had also reported a separate breach in early May, following ShinyHunters’s attack on Instructure’s Canvas learning management system.

The University of Nottingham, a top-20 UK institution employing 7,000 staff and serving over 46,000 students, stated it is working with the third-party platform provider to lead a forensic investigation into the full scope of the incident.

Key Takeaways for Security Leaders

CISOs and IT leadership relying on Oracle PeopleSoft for enterprise or campus administration should treat this campaign as an active threat and urgently audit their configurations and patch levels.