For a university, the student records system is the institutional memory — decades of names, addresses, financial details, and identity documents belonging to everyone who has ever enrolled. When that system is breached, the harm does not stop at current students; it reaches alumni who left years ago and assumed their data left with them. The University of Nottingham is now living that scenario, and it has escalated to a criminal investigation.

The Russell Group university confirmed on June 12, 2026 that the cyberattack against it is the subject of a criminal probe, after students reported finding their passport numbers, bank account details, and home addresses leaked online. According to staff, hackers gained access to the university’s student records system at the end of May, exposing what the institution described as a “significant amount” of personal and professional information.

The scale

The numbers are severe. According to breach-notification service Have I Been Pwned, upwards of 454,600 current and former students were affected — a figure that captures the long tail of alumni records that make university breaches so damaging. The exposed data published online included roughly 455,000 unique email addresses alongside an extensive list of personal fields: names, addresses, phone numbers, ethnicities, disabilities, passport numbers, and information relating to academic enrolment and fee payments.

That mix is what makes this breach so corrosive. Passport numbers and bank details feed straight into identity theft and financial fraud — and unlike a password, you cannot reset a passport number on a whim. The presence of ethnicity and disability data — special-category information under UK GDPR — raises the sensitivity and the regulatory stakes considerably. This is not a list of marketing emails; it is a dossier.

ShinyHunters claims it — again

The notorious extortion group ShinyHunters has claimed responsibility, posting documents on its dark-web site as proof and asserting it stole around 40GB of data, including “billing and payment records, credit card and payment details, student finance data.” Tens of gigabytes were subsequently published online.

None of this is out of character. ShinyHunters has spent years industrializing data theft and extortion, evolving from a Pokémon-inspired hacking crew into one of the most prolific breach-and-extortion operations on the planet. And the higher-education sector has become a recurring target: the Nottingham breach lands directly alongside the ShinyHunters campaign exploiting an Oracle PeopleSoft zero-day (CVE-2026-35273) against universities that we reported just days earlier, and follows the group’s massive breach of the Instructure Canvas learning platform exposing hundreds of millions of student records. Universities sit on rich identity data, run sprawling and often legacy IT estates, and have historically under-invested in security relative to the value of what they hold — a combination that has made them a standing target, as we’ve documented across the sector’s deepening cybersecurity crisis.

The extortion playbook

The publication of stolen documents “as proof” is not incidental — it is the mechanism. ShinyHunters’ model is double extortion stripped down to leverage: steal the data, threaten to publish it, and release a sample to demonstrate the threat is real and to pressure the victim toward payment. The leak students are now discovering is, in effect, the group’s negotiating tactic playing out in public, with the victims’ most sensitive identity documents as the bargaining chips.

The university confirmed the criminal investigation but said it was unable to provide further detail on the nature and extent of the incident — standard, and frustrating, caution while law enforcement and forensic teams work. For affected individuals, that silence collides with the urgent reality that their data is already circulating.

What the 454,600 should do now

If you are a current or former Nottingham student, treat your data as exposed and act accordingly:

  • Check Have I Been Pwned to confirm whether your email and data appear in the breach.
  • Guard against passport and identity fraud. Passport numbers cannot be reset, so heightened vigilance is the defense. UK residents can use the Action Fraud reporting service and watch for misuse; consider the steps the government recommends where identity documents are compromised.
  • Watch bank accounts closely for unauthorized activity and consider notifying your bank that your details may be exposed, given the leaked financial data.
  • Expect targeted phishing. Criminals armed with your name, course, and history will craft convincing “university” emails. Be sceptical of any message asking you to log in, pay, or “verify” details.

A group legal claim is already being organized on behalf of those affected — the now-routine aftermath of a UK breach of this magnitude, and a signal of the regulatory and financial exposure facing the university itself.

Nottingham did not choose to be a bank, a passport office, and a financial-aid processor all at once — but its records system made it all three, and ShinyHunters treated it accordingly. The criminal probe will chase the attackers. The 454,600 people in the leak will be managing the consequences long after the investigation closes.

Sources