Full Report
The University of Nottingham confirmed on Wednesday that a hacking group gained access to its student records system in a breach affecting both current students and alums. [...]
Analysis Summary
# Incident Report: University of Nottingham Student Records Data Breach
## Executive Summary
The University of Nottingham was targeted by the ShinyHunters cybercriminal group in a significant data breach affecting approximately 454,600 current and former students. By exploiting vulnerabilities in the Oracle PeopleSoft student record system, attackers exfiltrated 40GB of sensitive documents, including financial records, personal identification (passports), and academic enrollment data. The university is currently working with forensic investigators and the UK Information Commissioner's Office (ICO) to remediate the impact.
## Incident Details
- **Discovery Date:** Tuesday, June 10, 2026 (via threat actor claim); Confirmed Wednesday, June 11, 2026.
- **Incident Date:** May/June 2026
- **Affected Organization:** University of Nottingham (UK, Malaysia, and China campuses)
- **Sector:** Education / Higher Education
- **Geography:** United Kingdom / International
## Timeline of Events
### Initial Access
- **Date/Time:** May/Early June 2026 (Exact date TBD)
- **Vector:** Exploitation of Oracle PeopleSoft vulnerabilities.
- **Details:** Attackers utilized a "gadget chain" consisting of suspected zero-day vulnerabilities combined with known older vulnerabilities in the PeopleSoft platform.
### Lateral Movement
- Details not explicitly disclosed, but the threat actor successfully navigated from the initial entry point to the campus portal exports and student finance systems across global campuses (UK, Malaysia, China).
### Data Exfiltration/Impact
- **Volume:** Over 40GB of documents.
- **Content:** Student finance data, billing/payment information, credit card details, full names, home addresses, IP addresses, phone numbers, dates of birth, ethnicities, disability status, passport numbers, and academic enrollment records.
### Detection & Response
- **Discovery:** On June 10, the ShinyHunters gang posted proof of the breach on their dark web leak site. Breach notification service *Have I Been Pwned* verified the data on June 11.
- **Response Actions:** The University initiated a forensic investigation with the third-party platform provider and reported the incident to the ICO and Action Fraud.
## Attack Methodology
- **Initial Access:** Vulnerability Research/Exploitation (Oracle PeopleSoft "gadget chain").
- **Persistence:** Not disclosed; likely maintained through the exploited application layer.
- **Privilege Escalation:** Exploited application-level configuration or zero-day flaws.
- **Defense Evasion:** Use of novel zero-day vulnerabilities to bypass standard signature-based detection.
- **Credential Access:** Access to payment and credit card details stored within the ERP.
- **Discovery:** Automated scanning of PeopleSoft instances worldwide.
- **Lateral Movement:** Movement within the PeopleSoft database and campus portal architecture.
- **Collection:** Gathering 40GB of student and financial documents.
- **Exfiltration:** Transfer of data to the ShinyHunters dark web leak site.
- **Impact:** Data theft and extortion.
## Impact Assessment
- **Financial:** Exposure of credit card and billing data; potential regulatory fines from the ICO under UK GDPR.
- **Data Breach:** Exposure of highly sensitive PII (Passport numbers, health/disability data) for 454,600 individuals.
- **Operational:** Disruption to student record management and administrative forensic overhead.
- **Reputational:** Significant brand damage to a Top 100 global university.
## Indicators of Compromise
- **Network Indicators:** Connection logs to known ShinyHunters leak site infrastructure (typically via Tor).
- **File Indicators:** "40GB archive" of documents originating from the student record system.
- **Behavioral Indicators:** Abnormal export volume from Oracle PeopleSoft instances; unauthorized access to campus portal exports.
## Response Actions
- **Containment:** Coordination with the third-party platform provider to identify and close the exploited entry point.
- **Eradication:** Forensic investigation to identify and remove any persistent backdoors.
- **Recovery:** Reporting to law enforcement (Action Fraud) and regulatory bodies (ICO); notification of affected individuals via data breach monitoring services.
## Lessons Learned
- **Software Dependencies:** Large-scale ERP systems like Oracle PeopleSoft are high-value targets; relying on default security configurations is insufficient.
- **Supply Chain/Vendor Risk:** Vulnerabilities in third-party-maintained platforms can lead to institutional compromise.
- **Legacy Vulnerabilities:** The threat actor noted that "old vulnerabilities" were part of the gadget chain, suggesting that patch management for older CVEs remains a critical weakness.
## Recommendations
- **Patch Management:** Immediately audit and patch all Oracle PeopleSoft instances to the latest CPU (Critical Patch Update).
- **Hardening:** Review PeopleSoft configurations against CIS benchmarks to address the "gadget chains" mentioned by the attackers.
- **Monitoring:** Implement enhanced logging and alerting for large-scale data exports from student record databases.
- **Data Minimization:** Evaluate if sensitive data like passport numbers need to be stored in the same system as general enrollment and billing information.