ShinyHunters, the hacking group behind some of the largest data breaches of recent years, has published more than 40 gigabytes of stolen data from the University of Nottingham, exposing the personal records of approximately 455,000 current and former students across three international campuses. The stolen data is already circulating publicly, leaving victims with no practical way to contain the exposure.
What Was Stolen and Who Is Affected
The leaked dataset covers students and alumni from the University of Nottingham's campuses in the United Kingdom, Malaysia, and China. According to analysis of the published files, the breach includes:
- Identity documents: Passport numbers and copies, national ID data
- Financial records: International Bank Account Numbers (IBANs), payment history
- Sensitive personal data: Ethnic background, disability status, medical accommodation records
- Academic records: Enrollment data, grades, disciplinary records
- Contact information: Home addresses, phone numbers, email addresses
The combination of passport data, financial records, and sensitive categories such as ethnicity and disability creates a particularly serious harm potential. Identity fraud, targeted phishing, and discrimination based on leaked sensitive attributes are all realistic downstream risks for the 455,000 affected individuals.
How the Breach Happened: Oracle PeopleSoft Zero-Day
The attack exploited CVE-2026-35273, a critical vulnerability in Oracle PeopleSoft carrying a CVSS score of 9.8. The flaw allowed unauthenticated remote code execution via a standard HTTP request - no credentials, no insider access, no social engineering required. An attacker could reach the system directly from the internet and execute arbitrary commands with server-level privileges.
Oracle PeopleSoft is widely used in higher education as an enterprise resource planning system managing exactly the kind of data exposed here: student records, HR files, financial accounts, and administrative data. The University of Nottingham's deployment covered all three campuses, which explains the multinational scope of the breach. ShinyHunters reportedly exploited the vulnerability before a patch was publicly available, placing it in the category of zero-day attacks where defenders had no prior warning.
ShinyHunters' Escalating Breach Campaign
The Nottingham breach is the latest entry in what security researchers have started calling ShinyHunters' "eternal dump" strategy - a pattern of systematically targeting institutions with large, centralized databases and publishing the stolen data regardless of whether a ransom is paid. The group's confirmed previous targets include Carnival Corporation (nearly 6 million passenger records), Ticketmaster (560 million records), Santander Bank, and dozens of companies whose data was stolen via compromised Snowflake cloud accounts in 2025.
Unlike ransomware groups that encrypt data and demand payment for decryption keys, ShinyHunters publishes data publicly - sometimes on criminal forums, sometimes freely. This makes the harm irreversible: once passport scans and IBAN numbers are indexed across the dark web, victims cannot undo the exposure regardless of any subsequent action by the university or law enforcement.
University Response and Regulatory Notification
The University of Nottingham confirmed the incident and stated that it has notified the UK Information Commissioner's Office (ICO) and Action Fraud, the UK's national reporting center for fraud and cybercrime. Under the General Data Protection Regulation (GDPR) and the UK's equivalent post-Brexit framework, organizations are required to report breaches to the ICO within 72 hours of becoming aware of them when there is a risk to individuals' rights and freedoms.
The university said it is contacting affected individuals directly. However, with 455,000 people across three countries, the notification process will take time - during which affected students and alumni remain unaware of their specific exposure. Individuals who studied at Nottingham across the UK, Malaysian, and Chinese campuses should treat their passport data as potentially compromised and consider contacting their banks regarding any accounts linked to exposed IBAN numbers.
Why University Networks Are High-Value Targets
Universities have become prime targets for sophisticated threat groups for structural reasons. They maintain decades of records on large student populations - including sensitive categories of data that financial institutions typically guard more carefully. International campuses create additional complexity: data governance across UK, Malaysian, and Chinese regulatory frameworks means security standards may not be uniformly applied. Enterprise systems like PeopleSoft are often deployed on older configurations, and patch cycles in higher education tend to lag behind corporate environments due to budget constraints and the complexity of upgrading systems that run continuously across academic calendars.
For students and staff who use VPN access to connect to university network resources remotely, the Nottingham breach is a reminder that encrypted tunnels protect data in transit but cannot compensate for vulnerabilities in the applications and databases at the other end of the connection. When the ERP system itself can be compromised without authentication, network-level security controls provide no protection.
What Comes Next
The ICO has the power to issue fines of up to 4% of global annual turnover for serious GDPR violations, and the Nottingham breach - covering sensitive special categories of data for hundreds of thousands of people - will likely face regulatory scrutiny. Whether the university applied adequate technical measures given the known risk profile of its Oracle PeopleSoft deployment will be a central question.
For the 455,000 affected individuals, the practical reality is grimmer. The data is already public. The focus must shift from prevention to harm reduction: monitoring for identity fraud, being alert to targeted phishing attempts that reference personal details only available in the leaked dataset, and treating all unexpected contact related to the university with suspicion.
