University of Nottingham

ShinyHunters added the University of Nottingham to their victim list, claiming to have exfiltrated data on 454,600 individuals. Nottingham is a major UK Russell Group research university with campuses in the UK, China, and Malaysia.

The breach exposed student and staff records including contact information, passport numbers, and financial data related to tuition fees. Universities hold uniquely comprehensive personal data—everything from identity documents to financial information to academic records.

Names, addresses, phone numbers, email addresses, passport numbers, and tuition fee data. For an international university with students from around the world, passport numbers represent identity documents from dozens of countries.

454,600 records likely spans current students, alumni, staff, and applicants accumulated over years. University databases don't just contain current enrollment—they contain the full history of everyone who's passed through the institution.

Current students whose passport numbers and personal details are now exposed. International students particularly vulnerable—passport data combined with personal information enables sophisticated identity fraud across borders. Alumni who graduated years ago but whose records persisted in university systems.

Tuition fee data reveals financial circumstances. Passport numbers are high-value identity documents. The combination creates comprehensive profiles useful for both identity theft and targeted social engineering.

Universities invest in IT security. They have cybersecurity teams, comply with data protection regulations, and implement security frameworks. UK institutions operate under strict ICO oversight.

But universities are structurally difficult to secure. Decentralized IT, academic freedom cultures that resist restrictive controls, legacy systems from decades of technology accumulation, and massive user populations with varying security awareness. Every department, research group, and administrative function is a potential entry point.

Universities accumulate decades of student records. Admissions data, enrollment records, financial aid, housing, academic transcripts—all persisting across system migrations and administrative changes. How long are passport copies retained? Where do old application records live?

454,600 records suggests data well beyond current enrollment. The breach scope includes historical data that should have been purged, archived, or minimized years ago. When you don't know what data still exists in which systems, you can't protect it.

UK GDPR applies. The ICO requires notification within 72 hours of becoming aware of a breach involving personal data. With passport numbers involved, this is a high-severity incident requiring individual notification to affected persons.

International students add complexity—data protection obligations may extend across multiple jurisdictions. The university must identify and notify affected individuals across current students, alumni, and staff spanning years of enrollment.