The attack began quietly. In late May, IT administrators at universities and colleges around the world started receiving extortion emails. The sender claimed to have their data — student records, HR files, financial information — pulled straight from systems they trusted to safeguard the information that powers campus life. The emails were signed by a name the cybersecurity community knows well: ShinyHunters.
What happened
The ShinyHunters extortion gang is claiming responsibility for a series of data theft attacks targeting Oracle PeopleSoft servers at more than 100 organizations. According to reporting by BleepingComputer, the group told researchers they exploited a combination of known and zero-day vulnerabilities — what they described as a "gadget chain" — to compromise both cloud-hosted and on-premises PeopleSoft environments.
Oracle confirmed the campaign on June 10, issuing an emergency out-of-band patch for a critical vulnerability tracked as CVE-2026-35273, rated 9.8 out of 10 on the CVSS severity scale. The flaw allows an unauthenticated remote attacker to fully take over a PeopleSoft system — no credentials required. Oracle rarely issues patches outside its quarterly cycle; doing so signals how serious the company views the threat.
The University of Nottingham confirmed it was a victim, acknowledging that "a significant amount of data" in its student record system had been accessed. The ShinyHunters group claims the education sector accounts for the majority of its targets, and that data from many victims has already been posted to its dark web leak site.
ShinyHunters is not a new name. The group has previously been linked to breaches at Ticketmaster, AT&T, and dozens of other high-profile organizations. Their method is consistent: steal data, make contact, demand payment, and publish if ignored.
Why it matters for Texas institutions
Oracle PeopleSoft is not a niche product in Texas higher education — it is the backbone. Across the UT System, Texas A&M System, and many community colleges and state agencies, PeopleSoft underpins student records, financial aid processing, human resources, payroll, and procurement. A successful compromise does not just expose database rows; it exposes the administrative core of an institution.
For RSOC constituents, the threat is concrete and immediate. Many campuses run PeopleSoft in on-premises configurations or hybrid cloud deployments — both of which are confirmed targets in this campaign. The data stored in these systems is among the most sensitive an institution holds: Social Security numbers, financial records, employment history, student academic records, and healthcare benefit information.
The education sector is explicitly identified by ShinyHunters as their primary hunting ground in this campaign. Texas universities — large, research-intensive, and holding vast repositories of sensitive data — fit the profile.
What your institution should do
The most urgent action is patching. Oracle's emergency security alert for CVE-2026-35273 is available now and should be treated as a critical priority. This is not a vulnerability that can wait for a scheduled maintenance window — an unauthenticated 9.8 CVSS flaw in a system that holds student and employee records requires immediate remediation.
Beyond the patch, institutions should audit their PeopleSoft deployment posture. Check whether your PeopleSoft environment is internet-accessible — if it is, confirm whether network-level controls such as firewall rules, VPN requirements, or IP allowlists are restricting who can reach it. Any externally exposed PeopleSoft instance should be considered high-priority for both patching and access restriction until the vulnerability is fully mitigated.
Institutions should also review PeopleSoft audit and access logs for anomalous activity dating back to at least May 1. The ShinyHunters group suggests their campaign has been ongoing for several weeks before this public disclosure. Look specifically for unusual API activity, large data export events, or authentication attempts from unexpected IP ranges.
If your institution uses a managed service provider or Oracle Cloud for PeopleSoft hosting, contact them immediately to confirm patching status and request a summary of any anomalous access activity. Do not assume the provider has applied the patch without confirmation.
Finally, update and rehearse your incident response plan for an ERP breach scenario. A PeopleSoft compromise triggers breach notification obligations under FERPA, state data breach laws, and potentially HIPAA if benefits data is stored in the system.
RSOC is actively monitoring this threat and is available to assist RSOC-member institutions with patch verification, log review, and incident response guidance. Contact us at rsoc.utexas.edu if your institution needs support.