University of Nottingham says student and alumni data was compromised
The University of Nottingham said a cyber incident exposed a significant amount of data belonging to current and former students, and warned that people connected to its campuses in Nottingham, Malaysia, and China may be affected. The university said it is still determining exactly what was accessed, but is treating contact details, university-related information, financial data, and sensitive personal information as potentially compromised while a third-party forensic investigation continues. It has notified affected students and alumni and published a notice confirming that student and alumni data had been compromised.
The ShinyHunters cybercrime group claimed responsibility on its extortion site, alleging it stole more than 40GB of material including credit card and payment details. Analysis of partially published data by Have I Been Pwned indicated the leak contains about 455,000 unique email addresses along with extensive personal information, although the full scope remains unverified and ShinyHunters has previously been accused of exaggerating or misrepresenting stolen data in extortion campaigns.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
University of Nottingham engages Action Fraud and ICO after breach
Following the breach disclosure, the University of Nottingham said it was working with Action Fraud, the Information Commissioner’s Office, and other regulators while notifying affected students and alumni. The university also said it took affected systems offline immediately after detecting the incident.
ShinyHunters claims theft of University of Nottingham data
The ShinyHunters cybercrime group claimed responsibility for the incident on its extortion site, alleging it stole more than 40GB of material including credit card and payment details. Analysis of partially published data reportedly found about 455,000 unique email addresses and extensive personal information in the leak.
University of Nottingham discloses student and alumni data security incident
The University of Nottingham announced that an external third party accessed a significant amount of data affecting current and former students, including individuals connected to its Nottingham, Malaysia, and China campuses. The university said it had contacted affected students and alumni and was conducting a forensic investigation to determine exactly what data was accessed.
University of Nottingham detects unauthorized activity in PeopleSoft system
The University of Nottingham detected unauthorized activity on its Oracle PeopleSoft Campus Solutions system on June 9, 2026. According to the reference, attackers had already exfiltrated more than 40GB of data affecting about 454,600 current students and alumni by the time the activity was identified.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Nottingham University cyber attack: Everything we know so far as ShinyHunters claims responsibility | IT Pro
itpro.com
Open sourceUniversity of Nottingham Data Breach: 454,600 Students Hit | The CyberSec Guru
thecybersecguru.com
Open sourceUniversity of Nottingham confirms cyber incident as Shiny Hunters group claims data theft | The Record from Recorded Future News
therecord.media
Open sourceStudent news - Student and alumni data has been compromised in a data security incident - University of Nottingham
nottingham.ac.uk
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Leaks Donor and Alumni Data Stolen from Harvard and UPenn
**ShinyHunters** published datasets it claims were stolen during prior breaches at **Harvard University** and the **University of Pennsylvania (UPenn)**, posting what it says are **over one million records from each university** to its leak site used for extortion. Reporting indicates the exposed information relates to the schools’ development/alumni functions; TechCrunch said it verified portions of the data by corroborating details with alumni and public records (including matching against student ID numbers). Both universities attributed the intrusions to **social engineering** targeting staff supporting alumni and fundraising operations. UPenn previously confirmed unauthorized access to “a select group” of systems tied to development and alumni activities and said attackers also used official university email addresses to message alumni about the incident. Harvard reported its Alumni Affairs and Development environment was accessed following a **phone/voice-phishing** attack, and its incident FAQ described impacted data as including contact details (email, phone, home/business addresses), event attendance, donation details, and other biographical and fundraising-related information; public reporting noted uncertainty about whether affected individuals would receive individual notifications under applicable state requirements.
Mar 21, 2026
ShinyHunters Claims Carnival and Udemy Breaches in Extortion Campaign
ShinyHunters claimed responsibility for a major breach affecting Carnival Corporation, with data tied to Holland America Line’s **Mariner Society** loyalty program appearing online after an alleged extortion attempt failed. According to Have I Been Pwned, the leaked dataset contained **8.7 million records** and **7.5 million unique email addresses**, including names, dates of birth, genders, and loyalty program status details. Carnival acknowledged a security incident and said it had identified a phishing attack involving a single user account, while continuing to assess the scope of unauthorized access; the gang separately alleged it also stole terabytes of internal corporate data, a claim that had not been independently verified. The same group also posted a **"Pay or Leak"** notice claiming it had compromised Udemy and stolen more than **1.4 million user records** along with internal corporate data, giving the company a deadline before any public release. Udemy had not confirmed the incident at the time of reporting, leaving the claim unverified, but the allegation fits a broader ShinyHunters campaign targeting SaaS and education organizations through social engineering, credential theft, MFA bypass, and abuse of third-party access. The incidents underscore the group’s continued use of extortion-backed data theft to pressure victims and expose customer information.
May 6, 2026
Figure Data Breach Linked to Employee Social Engineering and ShinyHunters Leak
**Figure Technology Solutions**, a blockchain-based lending/fintech firm, confirmed a **data breach** after an employee was **socially engineered**, enabling attackers to access and exfiltrate a **limited number of files**. The company said it is communicating with partners and impacted individuals, has begun sending notifications, and is offering **free credit monitoring** to recipients of breach notices; it has not publicly disclosed the total number of affected individuals or when the incident was detected. The cybercrime group **ShinyHunters** claimed responsibility and alleged Figure refused to pay a ransom, publishing about **2.5GB** of purportedly stolen data on its leak site. Journalists who reviewed samples reported the exposed data included **names, home addresses, dates of birth, and phone numbers**, increasing risk of identity fraud and follow-on phishing. ShinyHunters also told reporters the intrusion was part of a broader campaign affecting organizations including **Harvard University** and **UPenn**, and referenced victims that rely on **Okta** for single sign-on.
Mar 21, 2026