On Tuesday, June 9, 2026, IT staff at the University of Nottingham noticed something wrong with their Campus Solutions system. By the time they pulled it offline, a well-organised cybercrime gang had already walked out with over 40GB of data covering 454,600 current students and alumni – passports, payment details, phone numbers, ethnicities, disabilities, the works.
Here’s everything known so far, including the technical side of how the attack worked.
Who Did This? ShinyHunters
The university has not officially named the attackers in its public statements, but ShinyHunters claimed responsibility on Tuesday, posting an archive of stolen documents on their dark web leak site as proof.
ShinyHunters is not some new crew. They’ve been around since at least 2020 and have a long track record: the Tokopedia breach (91 million accounts), the Wattpad leak, AT&T customer data, Ticketmaster (560 million accounts in 2024). They operate an extortion model – steal data, post a sample publicly, wait for payment or attention.
This attack is not an isolated incident. According to BleepingComputer, it’s part of a broader campaign in which ShinyHunters has breached over 100 organisations worldwide by targeting Oracle PeopleSoft installations.
The Attack Vector: Oracle PeopleSoft
This is the technical crux of the whole story, and it’s not getting enough attention.
What is Oracle PeopleSoft?
PeopleSoft is Oracle’s enterprise software suite, used by large institutions to manage HR, finance, payroll, supply chain, and critically for universities – campus administration. The campus-facing module is called Campus Solutions (also sold as part of Oracle’s higher-education platform). Nottingham used it to store student records: enrolment, fees, personal identifiers, financial aid.
PeopleSoft runs on a web-accessible portal called PeopleSoft Internet Architecture (PIA), which means it has an internet-facing login page and therefore an attack surface.
How did ShinyHunters get in?
When BleepingComputer asked the gang directly, they said they used a “gadget chain” combining zero-day vulnerabilities with older known CVEs. They also noted the attack doesn’t work on every system. Success depends on how each institution’s PeopleSoft instance is configured.
The phrase “gadget chain” is significant. In exploit development, a gadget chain (or ROP chain – Return Oriented Programming) strings together small pieces of existing code in memory to build an exploit that bypasses defences like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomisation). When applied to a web application context like PeopleSoft, it typically refers to chaining multiple vulnerabilities, perhaps a server-side request forgery (SSRF) leading to an authentication bypass, combined with a known deserialization flaw to achieve remote code execution or data exfiltration.
Oracle has not responded to BleepingComputer’s requests for comment about whether an actively exploited zero-day exists in PeopleSoft. That silence is not reassuring for the 4,000+ organisations worldwide that run PeopleSoft installations.
The university confirmed it is working with the third party that maintains the platform (likely a managed services provider or Oracle partner) to lead the forensic investigation.
What Data Was Taken
The university told affected students to assume four categories of data were accessed:
- Contact details: names, email addresses, postal addresses
- University records: course information, student and staff ID numbers
- Financial information: billing, payment history, fee records
- Personal identifiers: National Insurance numbers, protected characteristics (ethnicity, disability status)
ShinyHunters’ post on their leak site added more specific detail: credit card and payment data, campus portal exports, IP addresses, phone numbers, dates of birth, passport numbers, and data from Nottingham’s Malaysia and China campuses as well as its UK campus.
Have I Been Pwned (HIBP), the widely-used breach notification service run by Troy Hunt, analysed the leaked data and on Wednesday confirmed the breach affects 454,600 people. HIBP’s entry for the breach lists: email addresses, names, home addresses, phone numbers, ethnicities, disabilities, passport numbers, academic enrolment data, and fee payment details.
That is a lot of data points per person. For context: name + date of birth + NI number + passport number is essentially everything needed to attempt identity fraud, open credit accounts, or conduct targeted phishing. Students who’ve already graduated and moved on may not even know to check their email for the university’s alert.
How the University Responded
The university says it detected unauthorised activity on the Campus Solutions system on Tuesday, June 9, immediately took affected systems offline, and launched an investigation. Chief Governance and Risk Officer Jason Carter sent an email to affected students and alumni explaining the situation and outlining the four data categories on a precautionary basis.
Actions taken so far:
- All affected students and alumni contacted directly by email
- Incident reported to Action Fraud (UK’s national fraud reporting centre)
- Incident reported to the Information Commissioner’s Office (ICO) – required by UK GDPR within 72 hours of becoming aware of a breach
- Systems taken offline to contain the incident
- Forensic investigation launched with the platform’s third-party maintainer
The ICO confirmed receipt: “The University of Nottingham reported an incident to us and we are assessing the information provided.”
The university has set up a dedicated support line: 0115 74 86500.
Timing Is Awful
It’s hard to separate the data breach from the wider context at Nottingham right now.
The university told 2,700 staff – which is over a third of its workforce that they’re at risk of redundancy in May 2026, citing “changing sector demands” and financial pressures. It confirmed plans to cut 609 of its 7,363 full-time equivalent roles over three years. In response, staff launched a marking and assessment boycott via the University and College Union (UCU), which the union said would effectively block the university from issuing graduation certificates.
Students are caught in the middle. One of them, Abigail Maguire, told the BBC that the boycott threatens to override her third-year results where she averaged a first with earlier grades earned while she was dealing with the death of her brother. “I worked really hard in my third year, I managed to average for a first, so that makes up for the lost marks in my second year, and now all of that could just be overridden,” she said.
Now add a data breach on top. The personal information Maguire and tens of thousands like her submitted to the university including protected characteristics, health information used in mitigating circumstances, financial details is potentially in criminal hands.
This Is the Second UK University Breach in Days
Nottingham is not alone. The University of Oxford disclosed last week that its CareerConnect career services platform was compromised on May 28, 2026. Two major UK universities in two weeks is a pattern worth noting — and it likely reflects the broader PeopleSoft campaign ShinyHunters is running, not a sudden surge of interest in academia specifically.
What Affected Students Should Do Right Now
- Check your university email. Nottingham says it has contacted everyone affected directly.
- Freeze your credit file. In the UK, you can do this for free via Experian, Equifax, and TransUnion. Given that NI numbers and passport details are involved, this is not overcautious.
- Report suspicious contact. If you get an email, call, or text claiming to be from your bank, HMRC, or any financial body that asks to verify details, hang up or don’t reply.
- Check Have I Been Pwned. Go to haveibeenpwned.com and enter your university email address. HIBP has ingested this dataset.
- Call the university helpline if you need support: 0115 74 86500.
What Happens Next
Oracle has not commented. ShinyHunters is presumably waiting to see whether the university pays anything, though universities are generally not known for paying ransoms. The ICO will investigate and could issue a fine under UK GDPR, the maximum is £17.5 million or 4% of annual global turnover, whichever is higher. Given Nottingham’s financial situation, that would not come at a good time.
The forensic investigation will take weeks, possibly months. The real question for the broader higher-education sector is whether Oracle is going to publish details of the PeopleSoft vulnerabilities being exploited and whether the 100+ other affected organisations have even noticed they were breached yet.
