SYS::ONLINE
Wasteland.
Briefs1024
Issues16
SinceFeb 2026
LIVE
▣ Breach UNIVERSITY-OF-NOTT 2026-06-28

University of Nottingham: ShinyHunters Data Breach

"The University of Nottingham has confirmed a major cyber-attack that exposed a "significant amount of data" belonging to current and former students, including financial information drawn from its record system. The…"

The University of Nottingham has confirmed a major cyber-attack that exposed a "significant amount of data" belonging to current and former students, including financial information drawn from its record system. The breach, confirmed by the university on 10 June and now under analysis by external experts, has been claimed by the prolific criminal group ShinyHunters. According to Have I Been Pwned founder Troy Hunt, 455,000 unique email addresses were caught up in the incident, while a separate source cited by Trend AI's Jonathan Lee indicates roughly 40 gigabytes of data was exfiltrated.

What Happened

Last week, hackers from a well-known criminal collective launched a coordinated intrusion against the University of Nottingham, a major UK academic institution. On 10 June, the university publicly confirmed that attackers had accessed records tied to its student management system. The scale prompted independent review by two named cyber-security experts: Troy Hunt, founder of the breach-notification service Have I Been Pwned, and Jonathan Lee of cyber-security firm Trend AI.

The case is still being pieced together, but the consensus is that this was not a smash-and-grab against a public-facing website. Investigators believe the threat actor gained a foothold, moved laterally through the environment, and reached a central repository holding sensitive student records before pulling data out.

What Was Taken

The university acknowledged that a "significant amount of data" belonging to both current and ex-students was accessed, and critically, that this included financial information. That combination of identity data and financial detail makes the affected population attractive targets for follow-on fraud.

Hunt's analysis loaded 455,000 unique email addresses into Have I Been Pwned. He cautioned that the count of actual individuals affected will be a subset of that figure, because many records contain both a university address and a personal address for the same person. Separately, Lee said a trusted source told him approximately 40 gigabytes of data had "gone missing." Even discounted for duplicate addresses, the population impacted is expected to be very large.

Why It Matters

Universities sit on a uniquely rich data pool: identity documents, financial and loan information, health and disability records, research material, and decades of alumni history. They also run sprawling, federated networks with thin security budgets and heavy reliance on third-party suppliers, which makes them soft targets relative to the value they hold.

ShinyHunters has been linked to a long string of high-volume data thefts, and the group's involvement signals that academic record systems are firmly in scope for financially motivated actors. For defenders across the education sector, the Nottingham breach is a warning that a single weak supplier or a convincing phone call can put hundreds of thousands of records in a criminal's hands.

The Attack Technique

The experts pointed to two plausible entry methods, both consistent with ShinyHunters tradecraft. Hunt raised voice phishing, where attackers call staff directly and socially engineer them into surrendering credentials or access. Lee noted that voice phishing is the group's "normal way of operating," but assessed that this particular intrusion was more likely a supply chain attack.

In Lee's view, a third-party supplier managing student data was probably breached first, giving the attacker a route in. He described how criminals exploit "vulnerabilities" or "holes" in connected systems: "it's quite possible that this vulnerability in a third-party system that managed all the student data was the way that the threat actor was able to get into the environment and then move around." Hunt also noted that members of these crews are "usually teenagers or early 20s, very often still legally children," a reminder that low cost of entry does not mean low impact.

What Organizations Should Do

  1. Harden the help desk against voice phishing. Require identity verification that cannot be satisfied with publicly known details, and never reset credentials or MFA on a phone request alone.
  2. Inventory and assess third-party suppliers that touch sensitive data. Demand evidence of their security posture, restrict their network access to least privilege, and monitor those integration points closely.
  3. Segment internal networks so that a foothold in one system cannot translate into free movement toward central record stores. Limit and log lateral pathways.
  4. Deploy egress monitoring and data loss prevention to catch large outbound transfers. A 40 GB exfiltration should trip alarms long before it completes.
  5. Enforce phishing-resistant MFA across staff and supplier accounts, and rotate or revoke standing credentials that grant broad data access.
  6. Maintain a tested incident response and breach-notification plan, and bring in external forensics early to scope access and contain lateral movement.

Sources: University of Nottingham cyber-attack analysed by experts