Issuer: Adverse Trace Date issued: 2026-06-09 Version: 1.0
1. Executive summary
The ransomware group "shinyhunters" has claimed responsibility for a data breach against the University of Nottingham (nottingham.ac.uk), asserting the exfiltration of over 40 GB of data including billing records, payment details, and student finance information. While the primary victim is an educational institution in the UK, the dataset reportedly contains third-party payment processor data and extensive PII, creating immediate third-party risk for EMEA financial services entities acting as payment gateways or holding co-branded financial products with the institution. The bottom-line risk to financial clients lies in potential fraud stemming from compromised cardholder data (CHD) and the obligation to assess third-party concentration risk under DORA if payment processors serving the education sector are implicated.
2. Regulatory framing
| Regulation | Article | Practical Impact for EMEA Financial Services |
|---|---|---|
| DORA | Art. 17 | Management of ICT Third-Party Risk: Financial entities must immediately map any contractual relationships with payment processors or data handlers linked to the University of Nottingham to determine if this incident triggers a "significant" ICT third-party incident reporting requirement via their vendors. |
| DORA | Art. 19 | Classification & Reporting: If a financial client's own systems are implicated via shared payment gateways exposed in this dataset, they must classify the incident and notify competent authorities within the mandated timelines (initial report within 24h). |
| DORA | Art. 28-30 | Oversight & Testing: Entities relying on cloud or data processing services that may have failed to secure the university's data must review service level agreements (SLAs) and audit rights regarding data segregation and encryption standards. |
| NIS2 | Art. 21(2)(d) | Supply Chain Security: Essential entities (including finance) must evaluate if their supply chain includes vendors compromised in this breach, ensuring policies are in place to address risks stemming from supplier relationships. |
| NIS2 | Art. 23 | Reporting: While the university is the primary victim, financial entities discovering their customer data within the leaked set must adhere to national incident reporting timelines regarding data breaches affecting service continuity or integrity. |
3. Attack chain
Based on the provided source material, the following steps are confirmed: 1. Data Exfiltration: Threat actors successfully accessed and exfiltrated approximately 19GB+ (compressed) of data from the University of Nottingham's network, including campuses in Malaysia and China. 2. Data Aggregation: The exfiltrated data was aggregated into a single archive containing billing records, credit card details, student finance data, and PII (names, addresses, DOBs). 3. Publication/Extortion: The group "shinyhunters" published a claim on the ransomware.live indexing service, providing a SHA256 hash of the compressed archive and a summary of the stolen contents.
Unconfirmed steps: The specific initial access vector (e.g., phishing, vulnerability exploitation, compromised credentials) is not detailed in the provided source text. While ransomware.live notes "Compromised Employees" and "Infostealer infections" in its general sponsorship text, no specific link between a particular infostealer variant and this specific intrusion is confirmed in the provided item content. Attribution to "shinyhunters" is based solely on the claim posted on the indexing site.
4. Mitigation & containment
P1 (Within 24h): * Third-Party Mapping: Identify all payment processors, student loan servicers, or bursary management vendors currently contracting with UK higher education institutions, specifically the University of Nottingham. * Credential Reset: If your organization holds accounts with nottingham.ac.uk domains or shared portals, force a password reset and revoke active API keys immediately. * Transaction Monitoring: Enhance monitoring rules for transactions originating from UK postcodes associated with Nottingham (NG1, NG2, etc.) or involving the specific merchant IDs known to be used by the university, looking for anomalous velocity or card-not-present (CNP) fraud patterns.
P2 (Within 72h): * Vendor Inquiry: Contact third-party payment gateways to confirm if they process data for the affected entity and request confirmation of their data segregation status relative to the breached dataset. * Data Leak Search: Scan internal dark web monitoring feeds and ransomware.live updates for the specific SHA256 hash provided to see if sample data matches your own BIN ranges or customer profiles.
P3 (Within 7 days): * Contractual Review: Review DORA-mandated contractual terms with identified third-party providers to ensure right-to-audit clauses can be invoked if negligence in handling the university's data is proven. * Fraud Rule Tuning: Update fraud detection engines to flag transactions where billing address details match the specific data fields described (e.g., specific combinations of student ID formats if known, or high-risk geolocations).
5. Indicators of compromise
| Type | Value | Confidence | Source |
|---|---|---|---|
| SHA256 | d3aaaf06dd857deec3866072cc2876780623d880992e8d735094db4779535873 |
High | ransomware.live |
| Domain | nottingham.ac.uk |
High | ransomware.live |
| Actor | shinyhunters |
Medium (Self-claimed) | ransomware.live |
| Data Size | 19GB+ (compressed) |
High | ransomware.live |
sha256 d3aaaf06dd857deec3866072cc2876780623d880992e8d735094db4779535873
domain nottingham.ac.uk
6. Detection
The provided sources do not contain technical artefacts such as file paths, registry keys, mutexes, specific command-line arguments, or malware strings required to construct a meaningful YARA or Sigma rule for the attack mechanism. The only available artefacts are the data archive hash and the victim domain.
Insufficient indicators to author detection rules.
7. Sources
- ransomware.live, "Ransomware: shinyhunters named nottingham.ac.uk (GB)", https://www.ransomware.live/id/bm90dGluZ2hhbS5hYy51a0BzaGlueWh1bnRlcnM=, 2026-06-09.
8. Adverse Trace position
We assess the severity of this incident as Medium for direct financial services clients, but High for specific payment processors and fintechs serving the UK education sector. The primary risk is not systemic disruption but reputational damage and fraud liability if cardholder data within the 40GB dump is linked to client BINs. Attribution to "shinyhunters" remains unconfirmed beyond their self-claim on an aggregator site; we treat this as a data extortion event rather than a confirmed active ransomware encryption campaign until further technical evidence emerges. Adverse Trace will continue to monitor the ransomware.live feed and underground forums for the release of sample data to validate the presence of financial instrument data.
Published via PulseTrace — Adverse Trace threat intelligence.