University of Nottingham Data Breach Hits 454,000 Students

A University of Nottingham data breach has exposed personal and financial records belonging to 454,600 current and former students, after attackers gained access to the institution's student records system. The university confirmed the incident on Wednesday, reporting it to the UK's Information Commissioner's Office and Action Fraud. ShinyHunters, one of the most active extortion groups operating today, claimed responsibility and published sample files as proof on its dark web leak site.

What Was Stolen

ShinyHunters claims to have exfiltrated over 40 GB of data from Nottingham's student records system, covering the university's campuses in the United Kingdom, Malaysia, and China. The group says the stolen files include student finance data, billing and payment information, credit card details, and campus portal exports.

Breach notification service Have I Been Pwned analysed the leaked data and confirmed the full scope of the University of Nottingham data breach. Exposed records include email addresses, full names, home addresses, phone numbers, dates of birth, ethnicities, disabilities, passport numbers, and information tied to academic enrolments and fee payments.

That combination of financial and identity data creates serious downstream risk for affected individuals. Passport numbers and payment records together provide enough detail to facilitate identity fraud, and the inclusion of home addresses makes targeted phishing and social engineering significantly easier to execute.

ShinyHunters and the Oracle PeopleSoft Campaign

The Nottingham breach is one piece of a much larger attack campaign. ShinyHunters has been systematically targeting Oracle PeopleSoft instances, a widely deployed enterprise software suite used by large organisations to manage human resources, finance, payroll, and campus administration. The group claims to have breached more than 100 organisations worldwide through this campaign.

The attackers told researchers they are exploiting a chain combining zero-day vulnerabilities with older known flaws. They noted the method does not work universally, which suggests successful exploitation depends on how each individual PeopleSoft instance is configured. Oracle had not responded to questions about the campaign at the time of publication.

The University of Nottingham confirmed it is working with the third-party vendor that maintains the platform to lead a forensic investigation into the incident. The university has not formally attributed the attack, though ShinyHunters' claim is supported by the sample data it published.

UK Higher Education Under Sustained Pressure

Nottingham is the second major UK university to disclose a breach within the space of a week. SafeState reported on the Oxford University data breach last week, in which attackers compromised the CareerConnect careers platform operated by third-party provider Group GTI, exposing data belonging to students, alumni, research staff, and employer contacts.

Oxford has faced back-to-back incidents this year. Earlier in May, we covered the breach of Instructure's Canvas learning management system, which ShinyHunters also claimed and which affected Oxford among thousands of institutions globally.

The pattern across these incidents is consistent: attackers targeting third-party platforms that universities rely on for administrative and student-facing services. A single compromised vendor creates exposure across every institution using that platform. For universities managing tens of thousands of student records, the consequences scale quickly.

What Affected Students Should Do Now

The University of Nottingham said it is contacting affected individuals directly. For anyone who receives a notification, or who is a current or former Nottingham student and suspects their data may be involved, there are practical steps worth taking immediately.

Start by placing a fraud alert with the major UK credit reference agencies: Experian, Equifax, and TransUnion. A fraud alert prompts lenders to run additional checks before opening new accounts in your name. Given that passport numbers were exposed, it is also worth contacting the Passport Office to flag the situation and ask whether a replacement document is advisable.

Be alert to phishing attempts in the weeks and months ahead. Attackers who hold your name, address, phone number, and email address can craft convincing messages that appear to come from banks, the university itself, or government agencies. Scrutinise any unsolicited contact requesting personal details or login credentials, and verify directly with the claimed sender before acting.

Affected students whose payment card details may have been exposed should contact their bank directly and request a replacement card. Monitor statements closely for unfamiliar transactions.

A Systemic Problem, Not an Isolated One

The University of Nottingham data breach is the latest in a series of high-profile incidents involving ShinyHunters that SafeState has tracked across 2026. The group has moved steadily through sectors and platforms, from healthcare and dental benefits providers to video infrastructure vendors and now education. The Oracle PeopleSoft campaign represents a significant escalation in operational scale, with the group claiming to have compromised more than 100 organisations through a single exploitation chain.

For affected students, the immediate priority is protecting their identity and financial accounts. For universities and the vendors they rely on, the question of how PeopleSoft instances are configured and patched has become considerably more urgent.