When Katherine Arksey received the email, she wasn’t overly concerned. She was a third-year University of Nottingham criminology student who had previously seen institutional emails, which were measured, circumspect, and meant to convey information without going overboard. Then she heard the numbers, though. She then noticed it on the news. “I thought, this is a lot more serious,” she replied. She is twenty-one. She put her life on paper, her address, and her financial information in the hands of the university. “I never even thought it could be hacked into.”
The university seems to be experiencing that emotion at the moment, somewhere between quiet dread and disappointment. Data breach notification service Have I Been Pwned reports that up to 454,600 current and former students have been affected by the Nottingham University data breach, which was confirmed on June 12. It’s not a rounding error. Almost 500,000 people who voluntarily provided personal information are now unsure of what is stored on a server they will never be able to access.
ShinyHunters, a cybercrime group with a growing list of institutional victims, is responsible for the breach. By taking advantage of flaws in Oracle’s PeopleSoft software suite, a platform that is frequently used for HR and financial operations, the group is thought to have compromised systems belonging to more than 100 organizations between May 27 and June 9. The higher education sector accounted for 68% of those targeted. It turns out that colleges are near perfect targets due to their enormous rotating user bases, massive personal data stores, and systems that frequently rely on outside vendors who might or might not have their own security in order.
One such third party was under contract with the University of Nottingham. Since then, that platform has been shut down. A representative affirmed that the university is assisting law enforcement and has informed Action Fraud, the National Cyber Security Center, and the Information Commissioner’s Office. The exact extent of what was taken is what they have either been unable to confirm or have decided not to. The university stated that it is “operating on the precautionary assumption” that certain financial and insurance information, names, email addresses, university IDs, and course details were all accessed. In that sentence, precautionary assumption is doing a lot of heavy lifting.
Evidence of a student’s address and bank account information showing up online has been reported by The Nottingham Post. Scam calls have already been received by at least one student. Reporters were informed by Gene Matthews, a partner at the law firm Leigh Day, that compensation claims could be “substantial”—covering both monetary losses and the distress the breach has caused—if security measures are determined to have been insufficient.
It’s difficult to ignore the uneasy feeling that permeates everything. Universities hold a unique position in terms of institutional trust. Enrollment requires students to give something; they do not choose what to give. Nevertheless, it is evident from the Nottingham University data breach that the systems containing that data are not always handled with the seriousness that trust requires.
“There are over 400,000 people so hopefully I’m not interesting enough to be targeted,” stated an anonymous PhD student at the university. However, it remains unsettling. That is arguably the most truthful synopsis that is currently accessible. The inquiry is still ongoing. There aren’t many answers. ShinyHunters has moved on to the next institution somewhere.
