ShinyHunters Exposes 454,600 Nottingham Students
Key insights
- ShinyHunters used a 'gadget chain' of zero-days and older vulnerabilities to compromise Oracle PeopleSoft, not a single known flaw.
- The 40GB breach covers 454,600 students' passport numbers, ethnicity, disability data, and financial records across three country campuses.
- ShinyHunters has targeted over 100 organizations globally through the same Oracle PeopleSoft vulnerability chain.
Why this matters
Oracle PeopleSoft powers campus administration, HR, finance, and payroll across global higher education, meaning a single exploitable vulnerability chain can cascade across hundreds of institutions simultaneously. The combination of passport numbers, ethnicity, disability data, and payment records in one breach creates compounded identity fraud risk for 454,600 individuals that extends far beyond typical credential leaks. For technical leaders running centralized ERP platforms, this attack shows how gadget-chain exploits weaponize legacy code paths in ways that standard patching cycles and perimeter defenses miss entirely.
Summary
ShinyHunters has claimed a breach of the University of Nottingham's Oracle PeopleSoft systems, exposing records on 454,600 current and former students across UK, Malaysia, and China campuses.
The attack used a 'gadget chain' combining zero-days and older vulnerabilities against PeopleSoft, which manages campus administration, HR, finance, and payroll. Stolen data exceeds 40GB and includes passport numbers, home addresses, ethnicity, disability data, and payment details.
Essentially: (ShinyHunters, University of Nottingham) are at the center of a breach extending well beyond typical academic record exposure.
- Over 40GB taken, covering passport numbers, ethnicity, disability data, and student finance records
- The university has notified Action Fraud and the UK's Information Commissioner's Office
- ShinyHunters posted the claim on its dark web leak site before the university made its official disclosure
This is part of a wider ShinyHunters campaign targeting over 100 organizations globally through the same PeopleSoft vulnerability chain.
Potential risks and opportunities
Risks
- The 454,600 affected students, including those at Malaysia and China campuses, face heightened passport fraud and targeted phishing over the next 12-24 months given the richness and sensitivity of the stolen data.
- Institutions still running vulnerable Oracle PeopleSoft instances among ShinyHunters' 100+ targets could face additional breach disclosures in coming weeks as the gang processes its stolen data.
- The UK Information Commissioner's Office could impose significant GDPR fines on the University of Nottingham if its PeopleSoft configuration is found to have lacked adequate security controls.
Opportunities
- Oracle PeopleSoft security specialists and higher-education IT security vendors are positioned to capture rapid procurement from the 100+ affected institutions seeking emergency hardening.
- Higher-education cyber insurers face both repricing pressure and new business from institutions that lacked coverage for ERP-level breaches of this scale.
- Identity protection and credit monitoring services can move quickly on partnership deals with the University of Nottingham and peer institutions to cover 454,600 affected students.
What we don't know yet
- Whether ShinyHunters has issued a specific ransom demand to the University of Nottingham, and its value, is undisclosed in public reporting.
- The full list of the 100+ organizations targeted in the PeopleSoft campaign has not been published, leaving potentially affected institutions unaware of their exposure.
- Whether Oracle has issued patches or mitigations for the specific gadget-chain vulnerabilities used, and on what timeline, is not addressed in the article.
Originally reported by bleepingcomputer.com
Read the original article →Original headline: Nottingham University Data Breach Affects 454,600 Students — ShinyHunters Steals Passports, Ethnicity and Disability Data via Oracle PeopleSoft