Nottingham University Breach Exposes 454,600 Students' Data

Key Takeaways

• 454,600 current and former students affected across three global campuses
• Stolen data includes passport numbers, payment details, addresses, and academic records
• Attack is part of a larger ShinyHunters campaign targeting Oracle PeopleSoft systems at 100+ organizations

The University of Nottingham confirmed Wednesday that hackers accessed its student records system, exposing personal and financial data for 454,600 current and former students. The breach affects all three of the university's campuses in the UK, Malaysia, and China.

"The University of Nottingham has been the victim of a cyber incident and a significant amount of data in our student record system has been accessed by a well-known cybercriminal group," the university said in a statement to BleepingComputer. "We are working with the third party that maintains the platform to lead a forensic investigation."

The university reported the incident to the UK's Information Commissioner's Office and Action Fraud. It has not publicly attributed the attack to any specific group.

ShinyHunters Claims Responsibility

The ShinyHunters extortion gang claimed responsibility on Tuesday, posting proof to their dark web leak site. The group says it stole over 40GB of documents from the university's systems.

According to ShinyHunters, the stolen data includes student finance records, billing and payment information, credit card details, and campus portal exports. The group also claims to have full names, home addresses, IP addresses, phone numbers, and dates of birth.

Breach notification service Have I Been Pwned analyzed the leaked data and confirmed the scope. The service found the breach contains email addresses, names, addresses, phone numbers, ethnicities, disability information, passport numbers, academic enrollment details, and fee payment records.

Part of a Larger PeopleSoft Campaign

This attack is not isolated. BleepingComputer reports that ShinyHunters has breached over 100 organizations worldwide through their Oracle PeopleSoft instances. PeopleSoft is enterprise software used to manage HR, finance, payroll, supply chains, and campus administration.

ShinyHunters told BleepingComputer they are using a "gadget chain" combining zero-day vulnerabilities with older exploits. The group noted the attack does not work on all systems. Success depends on each PeopleSoft instance's specific configuration.

Universities are particularly attractive targets for extortion groups. They maintain vast repositories of personal data, often on legacy systems with inconsistent security practices. A Russell Group institution like Nottingham holds decades of student records.

Student Reactions and Concerns

On Reddit's r/nottingham and r/UniversityofNottingham, students expressed anxiety about identity theft. Many called for clearer communication about what specific data types were stolen and whether compensation would be offered.

The timing compounds the disruption. The breach hit during the university's critical exam marking period, adding operational chaos to the data security crisis.

For affected students and alumni, the exposure of passport numbers is particularly concerning. Unlike passwords or even credit cards, a passport number cannot be easily changed. Combined with full names, dates of birth, and addresses, this data creates significant identity theft risk.

What Should Affected Students Do?

• Check Have I Been Pwned to confirm if your email appears in the breach
• Monitor bank and credit card statements for unauthorized charges
• Consider a credit freeze or fraud alert with UK credit bureaus (Experian, Equifax, TransUnion)
• Be alert for phishing attempts using your personal details
• If your passport number was exposed, contact the Passport Office about potential replacement

The University of Nottingham ranks in the UK's Top 20 and global Top 100. It employs 7,000 staff and enrolls over 46,000 students. The ICO investigation will determine whether the university met its data protection obligations under UK GDPR.

Frequently Asked Questions

How do I know if my data was in the Nottingham University breach?

Check Have I Been Pwned by entering your email address. The service has indexed the breach data and will confirm if your information appears.

What data did ShinyHunters steal from Nottingham University?

The breach includes names, email addresses, home addresses, phone numbers, dates of birth, ethnicities, disability information, passport numbers, academic records, and payment details.

Can I change my passport number if it was exposed?

Yes. Contact HM Passport Office to report the data breach. You may be able to request a replacement passport with a new number, though standard fees may apply.

Who is ShinyHunters?

ShinyHunters is an extortion gang known for large-scale data theft. They've previously targeted companies like Microsoft, Tokopedia, and Mashable. They typically steal data and threaten to publish it unless victims pay.

Were only current students affected?

No. The breach affects both current students and alumni. Have I Been Pwned confirmed 454,600 individuals were impacted, including former students whose records remained in the system.

Source: BleepingComputer