Full Report
What HappenedOn 9 June 2026, the University of Nottingham was listed as a victim on the ShinyHunters Tor data leak site.The attackers leaked over 40GB of billing and payment records, student finance data, and campus portal exports from the University of Nottingham and its Malaysia and China campuses.The data stolen includes contact information, transaction amounts, IP addresses, full names, home addresses, postcodes, email addresses, phone numbers, dates of birth, and other internal campus data.Further analysis of the leaked data by Have I Been Pwned revealed it also contained over 455,000 unique email addresses along with extensive personal information including ethnicities, disabilities, and passport numbers.On 10 June 2026, security researcher @nahamike01 uncovered an exposed server belonging to ShinyHunters and found them targeting Oracle PeopleSoft servers using MeshCentral agents. Plus, analysis the bash_history logs on the server uncovered SSH connections to the IP address hosting the ShinyHunters Tor data leak site.On 11 June 2026, Mandiant and Google Threat Intelligence Group (GTIG) disclosed they have observed active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft application infrastructure via a zero-day now tracked as CVE-2026-35273, a critical remote code execution (RCE) vulnerability (CVSS 9.8).Analyst CommentShinyHunters is a prolific feature of current threat landscape. This adversary appears to have a particular focus on the educational sector. Last month in May 2026, ShinyHunters targeted another provider of educational software: Instructure Canvas. A number of other UK universities were also impacted by the Instructure breach.The education sector in the US and UK has suffered repeated, significant data breaches in recent years. In January 2025, BleepingComputer reported that PowerSchools, a cloud-based software provider, suffered a breach whereby the data of 62.4 million students and 9.5 million teachers was exfiltrated. Also in June 2026, the University of Oxford also disclosed a data breach impacting its CareerConnect platform. Separately, 13 schools in Powys county in Wales were impacted by a data breach in April 2026.After the Oracle E-Business Suite zero-day campaign by CLOP in October 2025, this campaign by ShinyHunters against Oracle PeopleSoft is yet another blow for Oracle. Google identified over 100 exposed organisations, and noted that 68% are academic institutions, including universities and colleges worldwide. More are likely to have been victimised by ShinyHunters and listed on their Tor data leak site in the coming weeks.Defensive TakeawaysPatch Oracle PeopleSoft: Internet-facing applications, such as file transfer servers or cloud-based software need to be prioritised for patches and updates. Checking the integrity of such systems while patching is also key to finding undetected compromises. Proactively ingesting event logs and threat hunting for suspicious activities involving these systems is also key to prevent breaches.Prioritise Education Software Security: Education sector firms or cybersecurity companies with education sector clients must react to the elevated threat, by pen-testing, threat hunting, and threat intelligence sharing. Cybercriminal adversaries like ShinyHunters often exploit internet-facing applications or use stolen credentials for initial access. It is therefore critical to focus on these tactics, techniques, and procedures (TTPs) to prevent their attacks.Follow the Data Breach Alert Playbook: Impacted victims must begin to rotate credentials, and start the laborious task of requesting new identity documents and codes like national insurance numbers or passports. It is also worth investing in some credit monitoring services as well to prevent loans being taken out in your name.Relevant Sourceshttps://x.com/politlcsuk/status/2064699766215164241https://www.dailymail.com/news/article-15889587/University-Nottingham-data-major-hack-cybercriminal.htmlhttps://www.bbc.co.uk/news/articles/ckg0lkp042zohttps://www.bbc.co.uk/news/articles/cnv93j9pv78ohttps://www.theregister.com/cyber-crime/2026/06/11/shinyhunters-raids-nottingham-uni-for-student-alumni-data/5253961Relevant CTI Resourceshttps://www.ransomware.live/id/bm90dGluZ2hhbS5hYy51a0BzaGlueWh1bnRlcnMhttps://haveibeenpwned.com/Breach/UniversityOfNottinghamhttps://x.com/nahamike01/status/2064559568018186745https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
Analysis Summary
# Incident Report: Compromise of University of Nottingham by ShinyHunters (UNC6240)
## Executive Summary
In June 2026, the University of Nottingham fell victim to a large-scale data exfiltration attack orchestrated by the threat group ShinyHunters (UNC6240). The attackers exploited a zero-day vulnerability in Oracle PeopleSoft to steal over 40GB of sensitive data, including the personal and financial information of over 455,000 individuals across UK and international campuses.
## Incident Details
- **Discovery Date:** 9 June 2026 (via data leak site listing)
- **Incident Date:** May – June 2026
- **Affected Organization:** University of Nottingham (including Malaysia and China campuses)
- **Sector:** Higher Education
- **Geography:** United Kingdom, Malaysia, China
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-9 June 2026
- **Vector:** Exploitation of zero-day vulnerability CVE-2026-35273.
- **Details:** Attackers targeted internet-facing Oracle PeopleSoft application infrastructure using a critical Remote Code Execution (RCE) vulnerability.
### Lateral Movement
- **Details:** Attackers deployed MeshCentral agents on compromised servers to maintain access and move through the environment. Security research identified SSH connections originating from the attackers' infrastructure to target systems.
### Data Exfiltration/Impact
- **Details:** Over 40GB of data was exfiltrated and subsequently leaked on the ShinyHunters Tor data leak site. The data included billing records, campus portal exports, and student finance information.
### Detection & Response
- **9 June 2026:** The University of Nottingham is listed on the ShinyHunters leak site.
- **10 June 2026:** Security researcher @nahamike01 discovers an exposed ShinyHunters server containing MeshCentral agents and `bash_history` logs linking them to the leak site.
- **11 June 2026:** Mandiant and Google Threat Intelligence Group (GTIG) publicly disclose the zero-day CVE-2026-35273 and its active exploitation by UNC6240 against academic institutions.
## Attack Methodology
- **Initial Access:** Exploitation of Oracle PeopleSoft Zero-Day (CVE-2026-35273).
- **Persistence:** Use of MeshCentral agents and SSH connections.
- **Collection:** Gathering 40GB of payment records, portal exports, and personal data.
- **Exfiltration:** Secure transfer of data to ShinyHunters' hosting infrastructure.
- **Impact:** Public data leak and extortion.
## Impact Assessment
- **Financial:** Potential for significant regulatory fines and costs associated with credit monitoring and identity document replacement for 455,000 victims.
- **Data Breach:** Exposure of 455,000 unique email addresses, PII (names, DOBs, addresses, phone numbers), financial transactions, and sensitive personal info (ethnicities, disabilities, passport numbers).
- **Operational:** Disruption of student finance and campus portal operations.
- **Reputational:** Significant damage to the university's global reputation across its three main campuses.
## Indicators of Compromise
- **CVE:** CVE-2026-35273 (Oracle PeopleSoft RCE)
- **Tools:** MeshCentral Agents
- **Behavioral:** Unauthorized SSH connections to/from known threat actor infrastructure; unusual activity in `bash_history` logs on PeopleSoft servers.
## Response Actions
- **Containment:** Mandiant and Google TG identified over 100 exposed organizations to prevent further breaches.
- **Notification:** Breach disclosure via Have I Been Pwned and official university channels.
- **Remediation:** Implementation of critical security patches released for PeopleSoft.
- **Victim Support:** Recommendations for impacted students/staff to rotate credentials and apply for new identity documents.
## Lessons Learned
- **Zero-Day Preparedness:** Critical vulnerabilities in ubiquitous enterprise software (Oracle) remain a primary entry point for sophisticated actors.
- **Sector Targeting:** The education sector is being specifically targeted by ShinyHunters due to the high volume of sensitive PII and potentially lagging patch management cycles.
- **Third-Party Exposure:** Security at international campuses and via student portals must be as rigorous as the central UK network.
## Recommendations
- **Immediate Patching:** Prioritize patching of all internet-facing Oracle PeopleSoft and E-Business Suite applications.
- **Threat Hunting:** Ingest event logs from PeopleSoft servers to look for signs of MeshCentral or unauthorized SSH tunneling.
- **Identity Protection:** Impacted individuals should use credit monitoring services and consider rotating National Insurance or Passport information if compromised.
- **Offense-Informed Defense:** Conduct penetration testing specifically targeting internet-facing educational software (Canvas, PeopleSoft, PowerSchools).