University of Nottingham Hit by ShinyHunters (June 2026)

Claim Summary

On June 9, 2026, the ransomware and data extortion group known as ShinyHunters allegedly posted a claim on its dark web leak site targeting the University of Nottingham (nottingham.ac.uk). The threat actor claims to have exfiltrated over 40 gigabytes of sensitive data from the institution, including its campuses in Malaysia and China. According to the leak site post, the stolen data purportedly contains billing and payment records, credit card and payment details, student finance data, and campus portal exports. The group further claims the dataset includes payer contact information, transaction amounts, IP addresses, full names, home addresses, postcodes, email addresses, phone numbers, dates of birth, and other internal campus data. The compressed archive is allegedly 19GB+, with a SHA256 hash of d3aaaf06dd857deec3866072cc2876780623d880992e8d735094db4779535873. The post was updated on June 10, 2026.

Threat Actor Profile

ShinyHunters is a known data extortion group that has been active since at least 2020. The group has historically focused on stealing and selling large datasets from organizations, often targeting educational institutions, technology firms, and healthcare providers. Their modus operandi typically involves gaining initial access through compromised credentials, phishing campaigns, or exploiting unpatched vulnerabilities in web applications. They are known for exfiltrating data before deploying ransomware or simply threatening to leak the data if a ransom is not paid.

The group has a mixed credibility track record. In previous incidents, they have been linked to high-profile breaches, such as the 2021 attack on a major telecommunications provider and multiple data sales on underground forums. However, they have also been known to exaggerate the scale of their claims or repackage publicly available data as new breaches. Without independent verification, the University of Nottingham claim should be treated with skepticism. No public YARA rules or specific detection guidance for ShinyHunters is currently available, though general indicators of compromise (IoCs) for their operations often include unusual outbound data transfers and access to database servers.

Alleged Data Exposure

According to the threat actor, the exposed data includes:

• Billing and payment records
• Credit card and payment details (potentially including full card numbers, expiration dates, and CVV codes)
• Student finance data
• Campus portal exports
• Payer contact information (full names, home addresses, postcodes, email addresses, phone numbers)
• Transaction amounts and IP addresses
• Dates of birth
• Other internal campus data

The claimed volume of 40GB (19GB compressed) suggests a significant breach if confirmed. The inclusion of credit card details and student finance data would represent a severe privacy and financial risk to affected individuals.

Potential Impact

If the claim is verified, the University of Nottingham could face:

• Regulatory penalties under the UK GDPR and the Data Protection Act 2018 for failing to protect personal data.
• Reputational damage affecting student enrollment and international partnerships, particularly with its Malaysia and China campuses.
• Financial liability from affected students, staff, and third-party payers whose credit card details may be used for fraud.
• Operational disruption from potential ransomware deployment or further extortion attempts.
• Increased scrutiny from the Information Commissioner’s Office (ICO) and potential class-action lawsuits.

What to Watch For

• The University of Nottingham has not yet issued a public statement. Monitor their official website and social media channels for confirmation or denial.
• Check for any data samples posted by ShinyHunters to validate the claim. Do not access or download any samples.
• Watch for phishing emails targeting University of Nottingham affiliates, as threat actors often use stolen data for secondary attacks.
• Monitor underground forums for sales of the alleged dataset.
• If you are a student, staff member, or payer associated with the University of Nottingham, review your financial accounts for unauthorized transactions and consider placing a fraud alert.

Disclaimer

This report is based on an unverified claim posted by the ShinyHunters ransomware group on their dark web leak site. Yazoul Security has not independently confirmed the breach, the authenticity of the data, or the extent of the alleged compromise. Ransomware groups routinely exaggerate or fabricate claims to pressure victims into paying ransoms. This information is provided for situational awareness only and should not be acted upon without further verification from official sources. No PII, download links, or access credentials are included in this report.