The University of Nottingham has confirmed that ShinyHunters accessed its student record system and extracted more than 40GB of data covering 454,600 current and former students across the university’s UK, Malaysia, and China campuses — placing it among the most comprehensive student data breaches in British higher education.
ShinyHunters Posts 40GB of University of Nottingham Student Records on Dark Web Leak Site
ShinyHunters claimed responsibility for the breach and began publishing stolen data on their dark web leak site. The university confirmed the intrusion in a statement acknowledging that “a significant amount of data in our student record system has been accessed by a well-known cybercriminal group.” Have I Been Pwned confirmed 454,600 affected individuals in the dataset.
The attack is one component of ShinyHunters’ wider exploitation campaign against Oracle PeopleSoft deployments worldwide, in which the group used a zero-day vulnerability chain to compromise approximately 300 PeopleSoft instances across more than 100 organizations. The University of Nottingham’s student record system ran on PeopleSoft, making it one of the campaign’s highest-profile confirmed victims.
Passport Numbers, Disability Records, and Credit Card Data in the 40GB Stolen Dataset
The scope of the exposed data distinguishes this breach from typical name-and-email credential compromises. Confirmed stolen files include full names, home addresses, phone numbers, dates of birth, IP addresses, email addresses, ethnicities, disability information, passport numbers, student finance data, billing information, and credit card details.
Ethnicity and disability are protected characteristics under UK GDPR’s special category data provisions, which impose heightened obligations on data controllers and carry greater regulatory scrutiny when exposed without authorization. Passport numbers enable identity fraud that can cross borders and persist for years after exposure. Credit card details and billing information create direct financial harm vectors for each affected individual. The presence of protected characteristics data, government identity documents, and payment information in a single exfiltrated dataset makes the breach particularly consequential for the students affected.
UK, Malaysia, and China Campus Students Caught in the Three-Jurisdiction Nottingham Breach
The University of Nottingham operates campuses in the United Kingdom, Malaysia, and China — and students from all three locations are included in the affected population. That geographic spread creates a multi-jurisdictional data protection exposure. UK students’ data falls under UK GDPR and the supervision of the UK Information Commissioner’s Office. Students enrolled through the Malaysia campus fall under the Malaysian Personal Data Protection Act. Students from the China campus fall under China’s Personal Information Protection Law. A single breach of the university’s centralized student record system simultaneously triggered obligations under three separate data protection regimes.
Nottingham Reports to Action Fraud and the UK ICO as Regulatory Investigation Begins
The University of Nottingham notified Action Fraud and the UK Information Commissioner’s Office following the breach confirmation. ICO referrals in data breach cases open a formal regulatory process that can result in enforcement action under UK GDPR, which carries significant financial penalties for organizations found to have inadequate data protection controls. The ICO has conducted investigations into universities following previous breach incidents in the UK higher education sector.
The university’s public statement provided no information about how long ShinyHunters maintained access to the student record system or what security controls were in place at the time of the intrusion. Those details are likely to be central to any ICO investigation of the breach.
All organizations affected by ShinyHunters’ broader Oracle PeopleSoft campaign received extortion demands — and the University of Nottingham is among them. The university now faces simultaneous regulatory investigation, breach notification obligations to hundreds of thousands of individuals across three countries, and extortion pressure from a group with a documented history of publishing stolen data when payments are refused.
