Cyber Incident Victim: University of Nottingham
Date:
May 2026
Location:
United Kingdom
Summary
ShinyHunters exploited an unpatched Oracle PeopleSoft zero‑day vulnerability to infiltrate the networks of over a hundred organizations, primarily in higher education, and began extorting victims after leaking stolen data. The University of Nottingham confirmed that a significant amount of student data was taken in the attack, and the vendor has issued mitigations but no patch for the flaw. Google warned more than a hundred potentially exposed entities, noting that most are U.S. based and about two‑thirds belong to the education sector, while the campaign remains active with ongoing extortion attempts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The exploitation of CVE-2026-35273, an unauthenticated remote code execution flaw in Oracle PeopleSoft PeopleTools, began no later than May 27 2026, according to Mandiant’s analysis. Threat actors affiliated with the ShinyHunters group used the vulnerability to gain control of affected servers and subsequently accessed the networks of more than one hundred organizations, with a significant concentration in the higher education sector. The group’s activity came to the attention of Mandiant and the Google Threat Intelligence Group earlier in June 2026 as part of their ongoing monitoring of ShinyHunters operations. On Tuesday June 10 2026, ShinyHunters began publicly naming victims and releasing allegedly stolen data, and the University of Nottingham was identified among those targets. The following day, Wednesday June 11 2026, the university confirmed that a substantial amount of student data had been exfiltrated during the attack after the threat group leaked portions of that information.
The confirmed impact on the University of Nottingham involved the theft of student records, though the article does not specify the exact types or volume of data beyond describing it as a significant amount. ShinyHunters followed the data leak with extortion demands, a tactic they had been employing against other victims in the campaign. Mandiant’s chief technology officer, Charles Carmakal, noted that extortion messages were still being sent as recently as the day of the article’s publication, indicating the campaign remained active. Google reported that it had alerted more than one hundred organizations about potentially vulnerable Oracle PeopleSoft endpoints in their environments, although it did not disclose how many of those entities had actually been compromised. Oracle, after weeks of ongoing exploitation, publicly disclosed the CVE‑2026‑35273 vulnerability on Wednesday June 12 2026 and issued mitigation guidance, but had not released a patch at that time and did not respond to requests for comment.
In response to the public disclosure and the confirmed data theft, the University of Nottingham issued a statement acknowledging the breach and the leak of student data by ShinyHunters. The university’s confirmation came after the threat group’s leak, marking its official recognition of the incident. Mandiant continued to monitor the activity and warned that additional victims beyond those identified by Google might be affected. The broader context noted that this Oracle PeopleSoft zero‑day exploit followed a similar zero‑day attack by the Clop ransomware group on Oracle E‑Business Suite less than a year earlier, which had also led to a data‑theft extortion campaign that started in August and gained momentum in October. No further details regarding the university’s specific containment measures, notification procedures, or law‑enforcement involvement are provided in the source material.