The University of Nottingham has confirmed attackers accessed its student record system after ShinyHunters published roughly 40GB of data, including passport numbers, ethnicities, and payment details. For any organization holding personal data, the breach is a reminder of what regulators expect when sensitive records spill, and the clock that starts ticking the moment a breach is discovered.
The University of Nottingham has confirmed that attackers accessed its student record system, after the cybercriminal group ShinyHunters claimed responsibility and published tens of gigabytes of stolen data. The breach exposed an unusually sensitive collection of personal information, and it offers a practical case study in what data protection law requires once records like these leave an organization's control.
According to a university spokesperson, "a significant amount of data in our student record system has been accessed by a well-known cybercriminal group." ShinyHunters claimed it took around 40GB of data, including billing and payment records, credit card and payment details, student finance data, and campus portal exports. The crew also claimed the university's Malaysia and China campuses were compromised. Breach notification service Have I Been Pwned added a 10GB leaked dataset to its index, identifying roughly 454,600 university-related email addresses alongside names, addresses, phone numbers, ethnicities, disabilities, passport numbers, and academic enrolment and fee payment records.
What the data classification means under UK GDPR
The categories of data involved here matter for how the law treats the incident. Under the UK GDPR and the Data Protection Act 2018, ethnicity, disability status, and similar information count as special category data under Article 9. These categories carry heightened protections precisely because their exposure can lead to discrimination or other serious harm. Passport numbers and payment details add identity theft and financial fraud risk on top of that.
When a breach involves special category data and affects hundreds of thousands of individuals, it sits firmly in the territory that regulators consider high risk to the rights and freedoms of those affected. That classification drives the obligations that follow.
The 72-hour notification clock
UK GDPR Article 33 requires a data controller to notify the Information Commissioner's Office without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach. The university confirmed it reported the incident to both Action Fraud and the Information Commissioner's Office, which is the correct path. The 72-hour window is not a deadline for completing an investigation. It is a deadline for telling the regulator that a breach has occurred, even when many facts are still unknown. Controllers are expected to provide what they know and supplement the report as the picture develops.
Article 34 adds a second obligation. When a breach is likely to result in a high risk to individuals, the controller must communicate the breach to those individuals without undue delay. Given the special category data and passport numbers involved, that threshold is clearly met. The university said individuals believed to be affected have been contacted directly and that it has established a dedicated support line. Direct notification, rather than a general public statement alone, is what the law expects when the risk is this high.
What affected organizations should actually do
For any compliance team watching this unfold, the breach maps to a sequence of concrete actions that apply well beyond higher education:
Document the discovery timestamp. The 72-hour clock starts when you become aware of the breach, not when you finish scoping it. Record when and how you learned of the incident, because that timestamp anchors every subsequent deadline and will be among the first things a regulator asks about.
Assess the risk to individuals, not just to the organization. The notification obligations turn on harm to data subjects. Special category data, identity documents, and financial details all push an assessment toward high risk, which triggers the duty to notify individuals directly.
Notify on a rolling basis. A common mistake is waiting until the investigation is complete before contacting the ICO. The regulator accepts phased reporting. An initial report followed by updates is both permitted and expected.
Coordinate with third-party processors. The university noted it is working with the third party that maintains the platform to lead a forensic investigation. Where a processor operates the breached system, the controller still carries the notification obligations, but the processor has its own duty under Article 33 to inform the controller without undue delay. Contracts under Article 28 should already define how that coordination works.
Stand up support for affected people. A dedicated support line, guidance on monitoring for fraud, and clear advice on what was and was not exposed are part of meeting the spirit of Article 34, not just the letter.
Why this case carries broader weight
The breach landed at a difficult moment for Nottingham, which is dealing with industrial action by staff over redundancies, including a marking boycott that runs through July 31. Operational disruption of that kind can stretch the resources available for incident response, which is itself a compliance risk worth planning for. Regulators have shown limited patience for the argument that an organization was too busy to respond properly to a breach.
The incident also arrives during a run of attacks on UK education bodies. Powys council confirmed a cyberattack affecting 13 schools in early June, with data stolen from at least one, and Great Marlow School in Buckinghamshire was forced into containment after a suspected malware attack. The pattern reinforces a point compliance officers have made for years: the education sector holds large volumes of sensitive personal data, often on aging systems administered by third parties, and that combination is exactly what attackers target.
For organizations outside education, the lesson transfers directly. The legal obligations triggered by a breach do not depend on your sector. They depend on the data you hold and the harm its exposure could cause. The time to build the discovery-to-notification workflow, confirm your processor agreements, and rehearse the 72-hour response is before an incident, not during one. Nottingham's experience shows how quickly a record system breach moves from a security problem to a regulatory one, and how the response itself becomes part of the compliance record.
Comments
Please log in or register to join the discussion