Full Report
In June 2026, the University of Nottingham was the target of a cyber attack, later linked to a ShinyHunters "pay or leak" extortion campaign. Tens of gigabytes of data were subsequently published online and included 455k unique email addresses along with extensive personal information including names, addresses, phone numbers, ethnicities, disabilities, passport numbers and information relating to academic enrolments and fee payments. In a post about the incident, the university advised that the breach affected both "current students, and alumni".
Analysis Summary
# Incident Report: University of Nottingham Data Breach (ShinyHunters Extortion)
## Executive Summary
In June 2026, the University of Nottingham fell victim to a large-scale cyber attack and extortion campaign perpetrated by the threat group ShinyHunters. The incident resulted in the exfiltration and subsequent public leak of tens of gigabytes of data containing highly sensitive personal and academic information for approximately 455,000 students and alumni.
## Incident Details
- **Discovery Date:** June 2026
- **Incident Date:** June 2026
- **Affected Organization:** University of Nottingham
- **Sector:** Higher Education
- **Geography:** Nottingham, United Kingdom
## Timeline of Events
### Initial Access
- **Date/Time:** June 2026
- **Vector:** Unknown (Attributed to ShinyHunters)
- **Details:** Detailed entry point specifics were not disclosed, though the threat actor is known for targeting cloud repositories and utilizing stolen credentials.
### Lateral Movement
- **Details:** Precise movement within the university network was not disclosed, but attackers gained sufficient access to reach databases containing student and alumni PII (Personally Identifiable Information) and academic records.
### Data Exfiltration/Impact
- **Details:** The threat actor exfiltrated "tens of gigabytes" of data. Following a failed "pay or leak" extortion demand, the data was published online.
### Detection & Response
- **How it was discovered:** Likely identified through internal monitoring or via the extortion communication from ShinyHunters.
- **Response actions taken:** The university published a notice to students and alumni, notified relevant authorities, and began the process of identifying compromised data categories.
## Attack Methodology
- **Initial Access:** Often involves compromised API keys, cloud credentials, or phishing (Specifics for this incident TBD).
- **Collection:** Aggregation of structured data from student databases and enrollment systems.
- **Exfiltration:** Transfer of large-scale datasets to attacker-controlled infrastructure.
- **Impact:** Use of "Pay or Leak" extortion tactics followed by the public release of sensitive data to pressure the victim.
## Impact Assessment
- **Financial:** Undisclosed, but likely involves significant costs related to forensic investigation, legal fees, and potential regulatory fines (GDPR).
- **Data Breach:** 454.6k records leaked. Information includes: Names, physical/email addresses, phone numbers, passport numbers, ethnicities, disabilities, dates of birth, and academic/fee records.
- **Operational:** Disruption to university administration and communication channels during incident handling.
- **Reputational:** High impact; compromise of sensitive student welfare data (disabilities/ethnicities) and passport numbers significantly damages institutional trust.
## Indicators of Compromise
- **Network indicators:** hxxps[://]www[.]nottingham[.]ac[.]uk (Official university channel for breach updates)
- **File indicators:** Not mentioned in the public brief.
- **Behavioral indicators:** Large-scale outbound data transfers; Unauthorized access to student management systems.
## Response Actions
- **Containment measures:** Isolation of affected systems to prevent further exfiltration.
- **Eradication steps:** Clearing threat actor backdoors and rotating compromised credentials.
- **Recovery actions:** Verification of data integrity and restoration of services.
- **Notification:** Direct outreach to the affected community (students and alumni).
## Lessons Learned
- **Sensitive Data Exposure:** The volume of PII stored (passports/disabilities) highlights the need for strict data retention policies and encryption at rest.
- **Extortion Readiness:** Organizations must have a clear policy on handling "pay or leak" demands to avoid panicked responses.
- **Third-Party/Cloud Security:** Given the threat actor's history, securing cloud-hosted databases and API keys is critical.
## Recommendations
- **Identity Management:** Implement strict Multi-Factor Authentication (MFA) across all academic and administrative accounts.
- **Data Minimization:** Regularly purge data for alumni that is no longer required for legal or administrative purposes.
- **Encryption:** Use robust encryption for highly sensitive fields such as passport numbers and health-related data (disabilities).
- **Monitoring:** Deploy Data Loss Prevention (DLP) tools to alert on the unauthorized movement of large files outside the university network.