The University of Nottingham has confirmed that a significant volume of personal data has been compromised in a cyber attack on its student records system.
In a statement published on 10 June, the university said it had been the victim of a cyber incident in which a significant amount of data in its student record system was accessed by an external third party. Two groups have been affected: current students and alumni, both of whom the university says it has contacted directly.
The university is understood to have identified unauthorised activity on its Campus Solutions system on Tuesday 9 June. In updates sent to those potentially affected, it said the systems concerned were immediately taken offline to contain the incident, and that it was working with the third party responsible for maintaining the Campus Solutions platform on a forensic investigation.
Categories of data potentially exposed include names, email and postal addresses, course details, student and staff ID numbers, financial information held within the system, and personal data including National Insurance numbers and protected characteristics, the latter raising the prospect of special category data being involved.
In an email to students, the university's chief governance and risk officer, Jason Carter, said the breach was likely the work of a group that had previously targeted a number of other organisations. Although not confirmed by the university, the attack has been claimed by ShinyHunters, a prolific extortion operation.
The group listed the university on its leak site, alleging it had compromised more than 40GB of data, including billing and payment records, student finance information and administrative exports spanning the university's UK, Malaysia and China campuses. It subsequently leaked a compressed archive exceeding 19GB. The group claims the data includes payer contact details, transaction amounts, IP addresses, names, home addresses, postcodes, email addresses, phone numbers and dates of birth.
ShinyHunters has been linked to numerous high-profile breaches of technology companies, retailers, educational institutions and cloud providers, and routinely names victims on its extortion portal, threatening to publish stolen data if demands are not met.
The university said it is working closely with Action Fraud, the Information Commissioner's Office and other regulatory bodies, and the National Crime Agency is also aware of the breach. An ICO spokesperson confirmed that te University of Nottingham had reported the incident to it.
Under Article 33 UK GDPR, controllers must notify the ICO of a personal data breach within 72 hours of becoming aware of it where there is a risk to individuals, with Article 34 requiring communication to affected data subjects without undue delay where that risk is high. The apparent involvement of financial data, National Insurance numbers and protected characteristics will be central to the ICO's risk assessment, as will the adequacy of the technical and organisational measures applied to the third-party-maintained platform under Articles 5(1)(f), 28 and 32.
The incident is the latest in a string of attacks on the higher education sector, which remains an attractive target given the volume of personal, financial and research data universities hold, and echoes the 2023 University of Manchester breach.
The university has established a dedicated support line on 0115 74 86500 and is urging students to monitor their university email accounts for updates. It apologised for any anxiety the incident may cause and said further updates will follow as the investigation progresses.
