University shares more details on major cyber-attack

The University of Nottingham has said cyber criminals attacked its student record platform through a third party.

A "significant amount" of personal student data was accessed in the cyber-attack on its Campus Solutions system on 9 June, the organisation previously said.

In an update on its website on Wednesday, the university said a forensic investigation identified the attackers exploited a vulnerability in a third-party software platform, called Oracle WebLogic, to access parts of the system.

The East Midlands Special Operations Unit (EMSOU) is carrying out a criminal investigation into the attack, which is expected to have affected about 450,000 email addresses.

The university said it was "operating on the precautionary assumption" that the personal data of students, some alumni and applicants had been accessed.

That could include names, staff and student IDs, financial information and personal information such as date of birth, nationality, National Insurance number and sexual orientation.

A forensic investigation is ongoing into the cyber-attack, and the university said it did not yet have a confirmed list of every data field that had been accessed.

In its update, the university said a vulnerability in the Oracle WebLogic "allowed unauthorised remote code execution, giving the attacker access to parts of the system".

It added: "Our investigation into the full attack timeline is ongoing.

"We have since contained the incident and the system is currently offline while we secure and rebuild our system."

The BBC has contacted Oracle for comment.

According to the 'Have I Been Pwned?' website - which allows users to see if their personal data has been compromised - a hacking group called ShinyHunters has claimed responsibility for the attack.

'Have I Been Pwned?' founder Troy Hunt said it was likely the university would have been held to "ransom", and asked to pay money or the data would be published.

The university said on its website: "Our understanding is that the university also didn't receive any direct request for a financial ransom for this data."

It added a forensic investigation was ongoing to verify the exact scope of data access.

A support helpline has been set up for anyone affected and students, alumni and applicants have been advised to monitor their accounts and update their credentials.

In an email sent to students on Wednesday, seen by the BBC, the university's chief governance and risk officer, Jason Carter, said: "I can also confirm that this was not a ransomware attack and it was not an 'accidental disclosure'.

"This means that the data is still retained and not lost, and the incident has been the result of unauthorised access by an external party."

Carter added: "We are very sorry for the continued uncertainty and concern this may be causing. Thank you for your ongoing patience while the investigation progresses."

In an earlier statement to the BBC, the university said: "We take the privacy and security of data that we hold seriously.

"We have notified the Information Commissioners' Office (ICO) in accordance with our legal obligations.

"The National Cyber Security Centre, the Office for Students and Action Fraud have also been notified."

The university said it would not be commenting further due to the ongoing criminal investigation into the attack.

EMSOU, which has a dedicated Regional Cyber Crime Unit, previously confirmed its investigation into the cyber-attack was in the early stages.

On Monday, the ICO said the cyber-attack at the university highlighted "the growing importance of cyber-security as a responsibility that extends beyond IT functions".

Ian Hulme, interim executive director of supervision of the ICO, added: "Universities, as major data controllers handling significant volumes of sensitive personal data, must treat cyber-security and data protection as a core organisational priority.

"We expect senior leaders across the sector to take ownership of these risks, ensure appropriate safeguards are in place, and respond swiftly and effectively to incidents."

Listen to BBC Radio Nottingham on Sounds and follow BBC Nottingham on Facebook, on X, or on Instagram. Send your story ideas to eastmidsnews@bbc.co.uk or via WhatsApp on 0808 100 2210.