Sign in Subscribe
4 min read

Universities under siege: how ShinyHunters turned campus data into a crisis industry

Share
Universities under siege: how ShinyHunters turned campus data into a crisis industry

Analysis · June 12, 2026

The attack on the University of Nottingham is the latest in a wave targeting higher education. With 91% of UK universities breached in the past year, the sector has become the most exposed in the country — and institutions under financial strain are the most vulnerable of all.

When the University of Nottingham discovered unauthorised activity on its Campus Solutions student records system this week, it faced a familiar, ugly sequence: systems taken offline, forensic teams called in, an apologetic email to hundreds of thousands of people whose most sensitive personal data — national insurance numbers, financial details, protected characteristics — was already in someone else's hands.

The group responsible was ShinyHunters, a prolific ransomware crew that has been carving through British and international institutions at a pace that exposes a structural crisis in how universities think about security. The gang claimed to have extracted over 40 GB of data, including billing records, credit card details, student finance data, and campus portal exports stretching across Nottingham's UK, Malaysia, and China campuses.

A pattern, not an anomaly

The Nottingham attack did not arrive in isolation. It is part of a surge in targeted campaigns against higher education that, by virtually every measure, is intensifying. Recorded incidents rose from 260 between November 2023 and October 2024 to 425 in the following twelve months — a 63% jump spanning 67 countries. Over 3.96 million educational records were breached in 2025 alone, up 27% from the previous year.

ShinyHunters has been particularly active. Just weeks before the Nottingham breach, the same group claimed responsibility for the Canvas LMS attack — described as the largest educational security breach on record — which affected 8,809 universities and institutions worldwide and compromised data on approximately 275 million users. Harvard University was also among its recent targets.

"Universities are increasingly targeted both for the data they hold and the very diverse mixture of workloads and technologies." — Ambrose Neville, Queen Mary University of London

Why universities make easy targets

The reasons higher education attracts attackers are structural. Universities hold an unusually rich combination of data: student financial records, government identifiers, health and disability information, research intellectual property, and staff payroll — all under one roof. Unlike most corporate environments, they also operate with an ethos of openness, sprawling networks with thousands of endpoints, and high staff and student turnover that feeds credential theft.

Phishing accounts for 34% of ransomware incidents in the sector, while credential harvesting and infostealers are rampant precisely because student and staff populations cycle rapidly. A university's attack surface is effectively as large as its user base — and that base changes every September.

Recent attacks at a glance

  • April 2026 — Canvas LMS breach by ShinyHunters: 8,809 institutions globally, approximately 275 million users affected, the largest educational security breach on record.
  • February 2026 — University of Mississippi Medical Center: ransomware attack forces a nine-day shutdown of non-emergency operations, with a reported 20% revenue drop for the month.
  • March 2026 — Lehigh Carbon Community College, Pennsylvania: data breach forces closure of all campuses for more than a week.
  • March 2026 — Community College of Beaver County, Pennsylvania: ransomware encrypts all college data including grades, transcripts, and financial records; campus closed entirely.
  • June 2026 — University of Nottingham: 40+ GB stolen; 455,000 email addresses and extensive personal data including ethnicities, disabilities, and passport numbers published online.
  • June 2026 — Great Marlow School, Buckinghamshire: suspected malware attack forces partial closure during GCSE and A-level exam season.

Financial pressure as a compounding factor

The Nottingham breach arrives at a moment of acute institutional vulnerability. The university is in the middle of a restructuring that has put 2,700 staff at risk of redundancy — more than a third of its workforce — and sparked a marking boycott by the University and College Union that has already threatened graduation outcomes for this year's cohort.

This confluence is not unique to Nottingham. Across the sector, budget pressures and cybersecurity investment are competing for the same diminishing pool of resources. Smaller institutions may face the sharpest bind: the average cost of a data breach in education stands at $3.8 million, a sum that could prove existential for a financially stretched college.

In the United States, the picture has been worsened by policy decisions. The Trump administration eliminated key federal cybersecurity resources for schools — including shuttering the Department of Education's Office of Educational Technology and discontinuing K-12 programmes run through the Multi-State Information Sharing and Analysis Center — leaving institutions with fewer external supports precisely as attack volumes climb.

The human cost

Behind the data tables are people in genuinely difficult circumstances. For students already navigating the fallout of the marking boycott — some facing the prospect of having their final grades calculated from earlier years that failed to reflect serious personal hardship — the breach adds another layer of uncertainty. Their most sensitive information, including details of protected characteristics and financial situation shared with the university in confidence, may now be circulating on criminal leak sites.

Affected individuals have been directed to monitor accounts for suspicious activity and update credentials. The advice is sound but modest given the depth of what has been exposed. National insurance numbers, passport data, and ethnicity records cannot simply be changed.

What needs to happen

Cybersecurity researchers are consistent on the interventions that reduce risk in the sector: mandatory multi-factor authentication across all student and staff systems, regular penetration testing of legacy platforms like Campus Solutions, robust third-party supplier security audits, and faster incident response plans that don't leave systems exposed during forensic investigations.

Regulatory pressure is increasing. The UK's Information Commissioner's Office has confirmed it is assessing the Nottingham incident. With 91% of UK universities now reporting breaches in a twelve-month window, the ICO and sector bodies face a question about whether voluntary compliance frameworks are adequate — or whether universities, like financial institutions and healthcare providers, need mandatory minimum standards enforced by statute.

ShinyHunters will not stop. The financial incentives are clear, the targets are plentiful, and the data held by universities is among the most monetisable available. The question is whether institutions and regulators can close the gap before the next term begins.

Key figures

  • 63% rise in attacks on higher education year-on-year (2025–26)
  • 455,000 email addresses leaked in the Nottingham breach alone
  • 91% of UK universities reported at least one breach in the past 12 months
  • $3.8 million average cost of a data breach in the education sector globally
  • 3.96 million educational records breached in 2025, up 27% year-on-year

Tags: Cybersecurity · Higher education · ShinyHunters · Data breach · University of Nottingham · Ransomware

Published by:

The CyberDiplomat

Member discussion