The University of Nottingham in England confirmed a cyber incident Wednesday, announcing a “significant amount” of data affecting both current and former students had been accessed by an external third party.

According to the university’s statement, it is still working to understand what data has been accessed and said it had already directly contacted affected students and alumni, potentially including those in its foreign campuses in Malaysia and China as well as in Nottingham.

The breach itself has been claimed by the ShinyHunters cybercrime group which claimed on its extortion site to have obtained “over 40GB” of material including credit card and payment details.

Analysis by HaveIBeenPwned of the group’s partially-published data said it includes around 455,000 “unique email addresses along with extensive personal information including names, addresses, phone numbers, ethnicities, disabilities, passport numbers and information relating to academic enrolments and fee payments.”

In email to students seen by Recorded Future News, the university says it is “operating on the precautionary assumption that the following data may have been accessed” before listing:

• Contact information (names, email and postal addresses)
• University-related details (course information, student/staff ID)
• Financial information (where stored within the system), and
• Personal information (national insurance numbers, protected characteristics)

The university said it was working with a third party on a forensic investigation into the incident, and to “verify the exact scope of the data accessed.” It said it would provide further updates as its investigation confirms details.

The ShinyHunters group has been known to misrepresent its access in extortion attempts, including using historical datasets or obtaining public-domain information and claiming it was captured from internal systems.