University of Nottingham data breach: what to do now
4 min read Article Updated 2026-06-10
The University of Nottingham confirmed on 10 June 2026 that an external third party accessed a significant amount of data in its student record system. Students and alumni are both affected. If you study there now, or ever have, treat your personal details as exposed until you hear otherwise. Here is what we know so far, and the five things worth doing today.
Free download
Already at uni?
Get our free At-Uni Pack: stretching the loan through the Jan-to-April gap, the hardship-fund route nobody mentions, signing a private let without losing your deposit, and getting council tax right. Twelve pages, checked for 2026/27.
One useful email every Tuesday too. Unsubscribe in one click. Every signup is entered to win a pair of Beats Studio Pro (£349 RRP), UK residents 18+. T&Cs.
What happened
The university says it has contacted everyone affected and reported the incident to Action Fraud and the Information Commissioner's Office. The affected systems were taken offline while it works out the full scope. So far, so standard.
The claim of responsibility is uglier. A criminal group called ShinyHunters says it took more than 40 GB of data, including billing records, card payment details and student finance information. The university has not confirmed that list, and groups like this exaggerate to push up the price of stolen data. They also sometimes tell the truth.
I read the University of Nottingham's own statement on Wednesday morning and checked the support line against the page rather than trusting screenshots of it. The number listed there is 0115 74 86500, and the statement asks you to keep checking your university email address for updates.
Nottingham is not even the only UK university breach this fortnight. The University of Oxford disclosed in early June that CareerConnect, the careers platform its students log into, was breached at its third-party provider Group GTI, and the same platform runs career hubs for King's College London and the University of Manchester. If you use a university careers site anywhere, the password advice below applies to you too.
How do I know if I'm affected?
The university says affected students and alumni have been contacted directly. For current students that means your university inbox, so log in and check it, even if you normally let it pile up. Alumni are being emailed on whatever address the university still holds.
No email is not proof you're safe. Breach investigations widen as they go on. If you have ever paid the university for anything by card, tuition instalments, accommodation, gym membership, even a library fine, work on the careful assumption that those details are part of what was taken.
Five things to do today
1. Treat every message about the breach as a possible fake
Whoever holds this data now has enough detail to write a very convincing email from "the university". The weeks after a breach are peak phishing season, because everyone affected is expecting official contact and clicks faster than usual. The university will not ask for your password, your card number or a payment to secure your account. Any message that does is a fake. Forward it to the NCSC's scam email reporting service and delete it.
2. Tell your bank if you've paid the university by card
The stolen set allegedly includes card payment details. Phone your bank, say your card may be caught up in the University of Nottingham breach, and let them decide whether to reissue it; a replacement arrives within a few days and costs you nothing. Then watch your statements over the next few months. Card fraud often starts with a small test payment of a pound or two, not a big obvious hit. Flag anything you don't recognise.
3. Change any password you reuse
The student record system holds, at minimum, your name, contact details and date of birth. If your university password is also your email password, or your banking password, change it now and switch on two-factor authentication while you're in the settings. Our cybersecurity guide for students walks through this step by step.
4. Check your credit report
Identity fraud shows up as credit applications you never made. Experian, Equifax and TransUnion all give you a free statutory credit report, which sounds like the stripped-down version of the paid product but actually shows every account and search a lender would see, just without the marketing. Pull one now and look for accounts or searches you don't recognise. Then check again in a month. Fraudsters often sit on stolen data for a while; a quiet first month proves nothing.
5. Consider Cifas Protective Registration
If you'd rather not rely on remembering to check, Cifas Protective Registration costs £30 and lasts two years. It puts a warning flag against your name in the National Fraud Database, which forces lenders to run extra identity checks before approving anything in your name. Look, paying £30 to clean up a leak you didn't cause stings. It is still far cheaper than untangling a loan someone else took out as you.
If something does go wrong
Report any actual fraud attempt to Action Fraud on 0300 123 2040 or through their website, and keep the crime reference number. Your bank and the university will both want it.
The Information Commissioner's Office is already involved and can investigate how the breach happened. If you think the university has mishandled your data, complain to the university first, then escalate to the ICO if the answer doesn't satisfy you. Our guide to student rights covers how complaints routes work.
We'll update this page as the university confirms more. Everything here was checked against the university's statement and the linked sources on the day the breach was confirmed.
Reviewed · Editorial standards
