The University of Nottingham didn't mince words. On Wednesday, June 10th, the institution confirmed what had already been whispered across security circles for a day: a well-known cybercriminal group had slipped into its student records system and walked off with a significant amount of data. Current students, former alumni — nobody was spared.
The timing wasn't coincidence. Nottingham is currently locked in a brutal dispute with its own staff over 2,700 potential redundancies — more than a third of the workforce. Staff have been refusing to mark assessments since June 1st, and students are staring down the barrel of degree classifications based on predictions from prior grades rather than their actual final-year work. The BBC put it bluntly: the attack could hardly have come at a worse time.
It's easy to see why. When you're already fighting for your degree, having your personal data stolen by a group that's been targeting organizations worldwide feels like salt in an open wound.
Who's Behind the Breach
ShinyHunters claimed responsibility on Tuesday — a day before Nottingham's official confirmation. The extortion gang posted an archive of allegedly stolen documents on their dark web leak site as proof, and the scale is staggering.
They're claiming roughly 40 gigabytes of data stolen from Nottingham's PeopleSoft Campus Solutions system, plus its Malaysia and China campuses. That includes billing records, credit card details, student finance data, campus portal exports, and a whole lot more.
This isn't ShinyHunters' first rodeo with PeopleSoft. They've stolen data from over 100 organizations worldwide through a campaign targeting Oracle's enterprise software. They told BleepingComputer they're using a "gadget chain" of zero-days and old vulnerabilities, noting that exploitation depends on each PeopleSoft instance's configuration — which explains why some systems fall and others hold.
Troy Hunt, founder of Have I Been Pwned, offered a chilling observation: the hackers behind these operations are "usually teenagers or early 20s, very often still legally children." The infrastructure is sophisticated. The operators? Kids.
The Scale: 454,600 Unique Email Addresses
Have I Been Pwned confirmed the numbers on Wednesday evening. The leaked dataset contains 454,600 unique email addresses tied to the University of Nottingham. Hunt noted that the actual number of affected individuals will be a subset — many people have both university and personal email addresses, so the same person could appear twice in the count.
Jonathan Lee from Trend AI confirmed that approximately 40GB of data had "gone missing" from a trusted source. The scope is massive: current students, former students, alumni across three continents.
The data exposed goes far beyond names and emails. According to Have I Been Pwned, the leak includes academic records, citizenship statuses, dates of birth, disabilities, ethnicities, genders, IP addresses, passport numbers, phone numbers, physical addresses, purchases, and usernames. Passport numbers are particularly alarming — Hunt flagged "tens of thousands" exposed alongside other personally identifiable information, which significantly elevates identity theft risk.
What the University Knew (and When They Knew It)
The university identified unauthorized activity on its Campus Solutions system on Tuesday, June 9th. They immediately took the affected systems offline and launched a comprehensive investigation.
Chief Governance and Risk Officer Jason Carter emailed affected students with what he called the "precautionary assumption" of four data categories accessed:
- Contact information: names, email addresses, postal addresses
- University-related details: course information, student/staff IDs
- Financial information: billing records, credit card/payment details, student finance data
- Personal information: NI numbers, protected characteristics (ethnicities, disabilities)
The university apologized for "any anxiety" caused and established a dedicated support line: 0115 74 86500. All affected students and alumni were contacted directly.
The university reported the incident to Action Fraud, the Information Commissioner's Office (ICO), and the National Cyber Security Centre. The East Midlands Special Operations Unit confirmed it is investigating — though they noted the probe is "in its early stages."
How They Got In: Two Theories
BBC expert analysis on June 17th laid out two competing theories about the attack vector.
Troy Hunt suggested voice phishing — fraudulent phone calls to trick staff into revealing access credentials. It's a classic social engineering play, and ShinyHunters' "normal way of operating" involves voice phishing, according to Jonathan Lee.
But Lee believed this was more likely a supply chain attack. He pointed out that vulnerabilities in third-party systems managing student data could have been the entry point: "It's quite possible that this vulnerability in a third-party system... was the way the threat actor got into the environment and then moved around."
Either way, the result is the same: a well-resourced extortion gang walked into one of the UK's top universities and took what they wanted. The university told the BBC it couldn't comment on the nature of the attack due to an ongoing investigation, but Oracle hasn't confirmed whether it's aware of an actively exploited PeopleSoft zero-day.
Why Hackers Target Universities
The motive is straightforward: money. Hunt explained that universities would typically be held to ransom — "shaken down for money" — and when they refuse, the data gets published.
The stolen information is worth far more than just the immediate leak. Names, addresses, national insurance numbers, and email addresses are "like gold dust to cyber criminals" who might impersonate victims to take over identities or misuse information later, Lee said.
For students already dealing with a marking boycott and potential degree classification issues, the psychological toll is real. Abigail Maguire told the BBC about her fears that her hard work in third year — averaging first-class scores to make up for earlier struggles — could be rendered "worthless" if the university falls back on prior grade predictions.
The breach compounds an already toxic situation. Students are fighting for their academic futures while their personal data sits on a dark web forum.
A Broader Wave of Attacks on UK Education
Nottingham isn't an isolated case. It's part of a wave hitting UK education institutions:
- University of Oxford revealed last week that its CareerConnect career services platform was compromised on May 28th. Oxford also reported a second breach in early May via Instructure's Canvas LMS.
- Powys council confirmed on June 4th that a cyberattack affected 13 schools in Wales, with data stolen from at least one.
- Great Marlow School in Buckinghamshire entered its second day of shutdown after a suspected malware attack forced it into containment.
ShinyHunters also breached Instructure, claiming data theft from 8,800 schools and universities globally. The pattern is clear: attackers are targeting the same supply chain vulnerabilities across multiple institutions, and UK education is taking a beating.
The Register noted that most students at Great Marlow School have been told to stay home, with teachers unable to set remote work. Students can only access revision materials via Microsoft Teams. It's a picture of systemic vulnerability.
What Affected Individuals Should Do
Jonathan Lee emphasized that students should take "appropriate action" to protect themselves from follow-up attacks. Cyber criminals might attempt to impersonate victims using the stolen data.
Good cyber hygiene matters more than ever:
- Use strong, unique passwords for every account
- Enable multi-factor authentication wherever possible
- Be vigilant about unexpected phone calls asking you to act quickly
- Monitor financial accounts for suspicious activity
- Consider placing fraud alerts on credit files if you're concerned about identity theft
Lee added that people shouldn't panic, but they should be proactive. The data is out there. The question isn't whether attackers will try to use it — it's whether victims are prepared.
For Nottingham students and alumni, the university's dedicated support line (0115 74 86500) remains the primary resource. The institution said it would continue providing updates as the investigation progresses, though it won't offer further details due to the ongoing criminal probe.
The Bigger Picture: PeopleSoft as a Target
Oracle's PeopleSoft Campus Solutions is an enterprise business software suite used to manage large-scale operations — human resources, finance, payroll, supply chain, procurement, and campus administration. It's the backbone of student records at institutions worldwide.
ShinyHunters' campaign targeting PeopleSoft instances (detailed in our report) reveals an uncomfortable truth: even well-resourced universities are vulnerable when their core systems rely on software with known exploitation paths. The fact that the attack works differently depending on each instance's configuration means there's no one-size-fits-all defense.
Oracle hasn't confirmed whether it's aware of an actively exploited zero-day, but the pattern is clear. Organizations running PeopleSoft should be auditing their instances for known vulnerabilities, patching aggressively, and treating third-party system access as a potential attack surface.
The University of Nottingham breach is a wake-up call. When 450,000 students' data can be stolen in a single operation, the cost of complacency is measured in identities, not just dollars.