Oxford University Data Breach Traced to CareerConnect Hack

The University of Oxford has confirmed an Oxford University data breach affecting its CareerConnect careers platform, exposing personal data belonging to students, alumni, research staff, and external employers. The incident occurred on May 28 and stems from a security vulnerability in the platform's infrastructure, which is operated by London-based third-party provider Group GTI. Affected users received notification emails on June 4.

What the Breach Exposed

Attackers accessed first names, last names, and email addresses across all affected user groups. Those who authenticate with a password stored locally on CareerConnect, rather than through Oxford's central Single Sign-On system, also had their encrypted passwords compromised.

The exposure is narrower than it might appear. Current Oxford students log in via the university's central identity provider, which means their credentials sit with Oxford IT, not GTI. The accounts at risk belong to alumni, research staff, and employer representatives who hold standalone CareerConnect logins. Oxford has invalidated those passwords and requires a reset on next sign-in.

Course information, uploaded files, appointment data, and financial records were not involved in the incident. Oxford confirmed there is no evidence that its own internal systems were compromised.

Credential Harvesting Was the Goal

GTI told Oxford that the attack appeared focused on gathering credentials, likely as a precursor to phishing campaigns targeting Oxford-affiliated email addresses. No ransomware group or known threat actor has claimed responsibility. Oxford said it has no information regarding attribution.

The vulnerability that enabled the breach has since beenpatched and GTI also implemented additional security measures following the incident. Oxford is advising all affected users to stay alert to phishing and scam emails and to keep the devices they use for work or study up to date.

A Seven-Day Notification Gap

The breach occurred on May 28. Oxford notified users on June 4, a gap of seven days. Under UK GDPR, data controllers are required to report personal data breaches to the Information Commissioner's Office within 72 hours of becoming aware of them. It is not yet clear when Oxford was formally notified by GTI, but the timeline may attract scrutiny from the ICO.

Oxford confirmed it remains in contact with GTI to establish the precise number of affected users. That figure has not been disclosed publicly.

Wider Exposure Across UK Universities

CareerConnect is not exclusive to Oxford. The platform runson GTI's TargetConnect product, which powers career management services at other UK institutions, including King's College London and the University of Manchester. Oxford has not confirmed whether those institutions were also affected, and no other university has issued a public statement on the incident.

The question of shared exposure is significant. If the vulnerability existed at the platform level rather than in Oxford's specific configuration, other TargetConnect deployments may have been at risk during the same window.

Oxford's Second Breach in Five Weeks

This incident is the second data breach Oxford has disclosed in 2026. In early May, the university was among thousands of institutions affected by a breach at Instructure, the company behind the Canvas learning management system. That attack, claimed by the ShinyHunters extortion group, exposed names, email addresses, student ID numbers, and messages across an estimated 9,000 educational organizations worldwide. SafeState covered that breach in detail at the time.

The two incidents are unrelated. Oxford confirmed that the CareerConnect breach has no connection to the earlier Canvas disruption. But the back-to-back disclosures point to a broader reality: universities hold large volumes of personal data across multiple third-party platforms, and each vendor relationship represents a potential point of failure. A university's own security posture means little when an external provider is the one that gets hit.

What Affected Users Should Do

Anyone who held a standalone CareerConnect login should treat their password as compromised and avoid reusing it elsewhere. Given that credential harvesting was the stated intent, phishing emails crafted to appear as Oxford or GTI communications are a credible follow-on risk. Users should verify the sender address on any email requesting login credentials or urgent account action, and they should not click through links in unsolicited messages claiming to relate to CareerConnect or Oxford accounts.

Multi-factor authentication, where available, should be enabled on any account linked to the same email address that was exposed.