The University of Nottingham confirmed attackers accessed its student record system, exposing data on 454,600 current and former students. The breach ties into a sprawling ShinyHunters campaign that has hit over 100 organizations through their Oracle PeopleSoft deployments.
The University of Nottingham confirmed on Wednesday that a cybercriminal group breached its student records system, in an incident that breach notification service Have I Been Pwned now puts at 454,600 affected current and former students. For one of the UK's larger research institutions, with 7,000 staff and more than 46,000 students across campuses in the UK, Malaysia, and China, the scope of the exposure is hard to overstate.
In an emailed statement to BleepingComputer, the university said a "significant amount of data in our student record system has been accessed by a well-known cybercriminal group," and confirmed it is working with the third party that maintains the platform to run a forensic investigation. The incident has been reported to both Action Fraud and the UK's Information Commissioner's Office, the standard regulatory steps for a breach of this size under UK data protection law.
The well-known group in question is ShinyHunters, an extortion gang that claimed responsibility on Tuesday and posted an archive of allegedly stolen documents to its dark web leak site as proof. The group says it pulled more than 40GB of files, including student finance data, billing and payment information, credit card details, and campus portal exports from all three campuses.
What was actually exposed
The data set is broad and personal. ShinyHunters claims it includes full names, home addresses, IP addresses, phone numbers, and dates of birth. Have I Been Pwned's analysis of the leaked data went further, identifying email addresses alongside names, addresses, phone numbers, ethnicities, disabilities, passport numbers, and records tied to academic enrolment and fee payments.
That combination matters. Passport numbers and dates of birth are durable identifiers that do not expire the way a leaked password does. A student cannot rotate their date of birth after a breach. When ethnicity and disability information sits in the same archive, the privacy stakes climb again, because that falls under special category data that UK GDPR treats with heightened protection. Anyone with a Nottingham affiliation, even years-old alumni, should treat targeted phishing and identity fraud attempts as a realistic near-term risk.
The bigger story is PeopleSoft
The Nottingham breach is not an isolated event. BleepingComputer reports it is part of a campaign in which ShinyHunters has stolen data from over 100 organizations worldwide by breaching their Oracle PeopleSoft instances, both cloud-hosted and on-premises.
PeopleSoft is an enterprise application suite that universities and large companies use to run human resources, finance, payroll, procurement, supply chain, and campus administration. It is exactly the kind of system that concentrates sensitive records in one place, which is what makes it such a productive target. Compromise one PeopleSoft deployment and you potentially walk away with payroll, identity, and financial data for an entire institution.
What the attackers told BleepingComputer about their method is the part security teams should pay attention to. ShinyHunters described using a "gadget chain" of zero-days and older vulnerabilities, and noted the technique does not succeed against every system, likely because exploitation depends on each instance's specific configuration. A gadget chain stitches together individual weaknesses, often through insecure deserialization, so that pieces that look harmless on their own combine into remote code execution. The configuration dependency is the practical takeaway: two organizations running the same PeopleSoft version can have very different exposure based on patch level, exposed endpoints, and hardening choices.
Oracle had not confirmed to BleepingComputer whether it is aware of an actively exploited PeopleSoft zero-day at the time of reporting. Defenders running PeopleSoft should not wait for that confirmation. Audit which PeopleSoft components face the internet, confirm the latest Oracle Critical Patch Updates are applied, and review access to the PeopleSoft documentation for hardening guidance on the PeopleSoft Internet Architecture and Integration Broker, which are common exposure points.
A pattern across higher education
Universities have become a recurring entry on ShinyHunters' victim list, and Nottingham is the second UK institution to disclose a breach in recent days. The University of Oxford revealed last week that its CareerConnect career services platform had been compromised on May 28, and that followed an earlier Oxford breach in early May connected to ShinyHunters' attack on Instructure's Canvas learning management system.
The through-line is third-party platforms and enterprise suites that universities depend on but do not always control directly. Nottingham's own statement points to a third party maintaining the affected platform, which is a reminder that institutional security now extends well past the perimeter the IT team manages day to day. When a vendor's product holds your student records, their patch cadence and configuration become your risk.
For security teams watching this unfold, the practical advice converges on a few points. Inventory your enterprise application footprint and know which instances are internet-facing. Treat deserialization-based gadget chains as a live threat against Java-heavy enterprise software, not a theoretical one. Validate that your detection rules actually fire against the data-exfiltration patterns these campaigns use, because exfiltration of 40GB should not pass silently. And for institutions specifically, segment student record systems so that a single platform compromise does not hand over finance, identity, and academic data in one archive.
The individuals caught in this breach have the hardest position, because they made no configuration decisions and have little recourse beyond monitoring for fraud. That asymmetry is the real cost of these enterprise-software campaigns, and it is why getting the underlying PeopleSoft exposure under control matters far beyond any single university.
Comments
Please log in or register to join the discussion