University of Nottingham Breach: 455K Records Exposed (2026)

Overview

On June 2, 2026, the University of Nottingham confirmed a significant data breach after a cyber attack linked to the ShinyHunters hacking group. Threat actors published tens of gigabytes of stolen data online, affecting 454,635 unique email addresses. The compromised records include extensive personal information such as names, addresses, phone numbers, ethnicities, disabilities, passport numbers, and sensitive academic enrollment and fee payment data. The university stated the breach impacts both current students and alumni.

What Was Exposed

The leaked dataset contains a wide range of personal and sensitive information:

• Email addresses - 454,635 unique email addresses.
• Names - full names of students and alumni.
• Phone numbers - direct contact numbers.
• Physical addresses - home addresses of affected individuals.
• Ethnicities and disabilities - protected characteristics revealed.
• Passport numbers - high-risk identity data.
• Academic enrollment and fee records - course details, enrollment status, and payment history.

This combination of data elevates risk far beyond a simple credential leak. Passport numbers and academic records are particularly valuable for identity theft and fraud.

How the Breach Happened

ShinyHunters claimed responsibility via a “pay or leak” extortion campaign. The group posted the stolen data on hacker forums after the university reportedly did not meet their ransom demands. The attackers likely exploited a vulnerability in the university’s external-facing systems or gained access through compromised credentials - though the university has not disclosed the exact entry point. As of this advisory, no CVE-2026-XXXX-XXXX has been publicly associated with the attack.

Identity Theft Risks

With passport numbers and addresses exposed, affected individuals face elevated identity theft risks. Fraudsters can use passport numbers to apply for credit, open bank accounts, or commit immigration fraud. The combination of names, addresses, and phone numbers enables targeted phishing campaigns and social engineering attacks. Alumni who may not immediately consider themselves at risk should be especially cautious, as their current personal details - possibly unchanged from university years - are now publicly accessible.

How to Check If You’re Affected

• Visit Have I Been Pwned and enter your email address.
• The University of Nottingham is also contacting affected individuals directly; check your inbox (including spam) for official notifications.
• If you’re a current student or alumnus and have not received any communication, search your email address on HIBP as a precaution.

What to Do Right Now

1. Change your university password - especially if reused elsewhere. Use a strong, unique passphrase.
2. Enable multi-factor authentication (MFA) on your university account and any accounts that use a similar email address.
3. Freeze your credit with the three major credit bureaus (Equifax, Experian, TransUnion) if your passport number was exposed. This prevents new accounts from being opened in your name.
4. Monitor your credit reports for unauthorized activity.
5. Be alert to phishing - scammers may impersonate the university or financial institutions using your real data. Do not click links or open attachments from unverified senders.
6. Report lost or stolen passport numbers to the UK Passport Office if you suspect fraudulent use.

Security Insight

This breach underscores a recurring pattern in higher education: universities hold decades of sensitive data on current students and alumni but often lack the robust security posture of financial institutions. The exposure of passport numbers and disability data - protected under UK data protection laws - suggests the university may not have properly segmented or encrypted its most sensitive datasets. For organizations with long-term data retention obligations, this incident reinforces the urgent need for data minimization: if you no longer need passport numbers or disability records for current students, delete them. ShinyHunters specifically targets entities with large repositories of personal data, meaning universities remain high-value, low-defense targets in the cybersecurity news landscape.

Further Reading

• All High Breaches
• Recent Data Breaches