University of Nottingham hit by major cyber-attack, student data accessed
Quick Look
- Hackers accessed significant personal student and alumni data, including financial and personal details, from the University of Nottingham's Campus Solutions system.
- The university is investigating with regulatory bodies and has contacted affected individuals.
AI-generated summary
Why It Matters
Hackers accessed a significant amount of personal student and alumni data from the University of Nottingham's record system. The university is working with regulatory bodies and has contacted affected individuals. The cyber-attack occurs amidst proposed staff redundancies at the university.
Hackers from a well-known cyber criminal group have accessed a "significant amount" of personal student data held by the University of Nottingham.
The university said it was believed the group accessed the data for current students and alumni - including financial information - from its record system.
In an email sent to students, seen by the BBC, chief governance and risk officer Jason Carter said those behind the major cyber-attack, who had "previously targeted a number of other organisations", were likely behind the breach.
In a statement, the university apologised to those affected for "any anxiety" caused.
It is understood the university identified the unauthorised activity on its Campus Solutions system on Tuesday.
All affected students and alumni have since been contacted, a university spokesperson said.
'Comprehensive investigation'
"We are working to understand the data that has been accessed and have contacted those students and alumni affected directly," the university said.
"We are working closely with Action Fraud, the Information Commissioner's Office, and other regulatory bodies.
"We will remain in contact with those directly impacted and will continue to provide updates as the situation develops."
In the email sent to those affected, Carter said, after detecting the attack, the university "immediately took the affected systems offline to contain the incident and launched a comprehensive investigation".
While their investigation continues, the senior staff member said he was operating on the precautionary assumption that four categories of information had been accessed:
Contact information including names, email and postal addresses
University-related details including course information, student/staff ID
Financial information
Personal information including NI numbers and protected characteristics
"We are working to verify the exact scope of the data accessed and will provide further updates as our investigation confirms these details," Carter added.
An Information Commissioner's Office spokesperson said: "The University of Nottingham reported an incident to us and we are assessing the information provided."
The cyber-attack comes after the university told 2,700 staff that they are at risk of redundancy - more than a third of its workforce - as it responds to "changing sector demands" which are causing "financial challenges".
It confirmed it was proposing to cut 609 of its 7,363 full-time equivalent roles over the next three years.
In response, staff began a boycott of marking and assessments.
The University and College Union (UCU) said the action would "effectively block the university from handing out graduation certificates".
One of those affected, Abigail Maguire, told the BBC of her fears over plans to use her earlier grades to arrive at her final degree grade, which she says will not reflect her final-year work for which she has been averaging first-class scores.
Maguire said her brother had died before she enrolled at the university, but the loss had created a lasting impact.
"I was struggling with certain traumatic findings from his death, [and] I was also surpassing him in age at that time, which was also really difficult,"
"I was also dealing with physical health problems, and it severely affected my course and my grades, so I appealed to the university and explained my situation.
"They didn't give me a choice, they didn't give me an opportunity to take the exams when I was in a better state of mind... I passed, but just about, and they said 'just do better in your third year'.
"I worked really hard in my third year, I managed to average for a first, so that makes up for the lost marks in my second year, and now all of that could just be overridden, and just worthless."
Open Questions
- What is the exact scope of the data accessed?
- What specific financial information was compromised?
- What are the identities of the cyber criminal group responsible?
- What measures are being taken to prevent future attacks?






