RiskEvents
ActiveMedium impactAI Refreshed

ShinyHunters extortion gang claims data theft from 100+ Oracle PeopleSoft instances

Occurred 9 Jun 2026·Detected 15 Jun 2026·
🇺🇸 Global targeting of Oracle PeopleSoft server instances, with confirmed victim in Nottingham, UK4 reports
CyberCyberCasualty & Liability

ShinyHunters extortion gang claims theft of data from approximately 300 Oracle PeopleSoft instances across 100+ organizations, primarily in education. The University of Nottingham has confirmed it is a victim, with personal data of around 454,600 current and former students (including UK, Malaysia and China campuses) published on the leak site. Attackers reportedly chain older PeopleSoft vulnerabilities with alleged zero-day exploits, drop ransom notes on compromised servers, and follow up with extortion demands. Oracle has not publicly commented on the campaign or the zero-day claim.

AI-generated from linked source reports. See our correction policy.

Impact verdict

Medium impact. London Market materiality remains low to moderate. One large UK higher-education victim is now confirmed, with a named UK regulator-visible PII count (~454,600 records including payment and passport data) that supports a meaningful first-party cyber loss and regulatory exposure for that single insured. However, there is still no confirmed named insured cyber loss across the broader 100+ claimed victim set, no loss estimate, no systemic outage, and no vendor confirmation of a true zero-day, all of which cap near-term systemic severity. The 454,600-record single-victim PII exposure is a usable insured-industry figure that can floor (but not cap) the band: it supports a low-to-moderate band given that single-victim ransomware/extortion PII events in higher education have historically settled in the low-to-mid single-digit millions insured range, while still falling well short of systemic thresholds. Materiality could escalate if Oracle confirms a true unpatched zero-day, if the victim footprint broadens into regulated finance, healthcare, or critical infrastructure, or if additional named insureds come forward with quantified losses.

View assessment methodology

How we grade what we know -- Known · Reported · Uncertain. Methodology →

Intelligence ledger

Each line expands in place to its underlying sourced claim.

AI refreshed 18 Jun 2026, 03:40

Known23 lines

ShinyHunters confirmed to BleepingComputer they are behind the attacks
structured lineknown
No separate sourced-claim record is available for this line yet.
Claimed 300 instances compromised across 100+ organizations
structured lineknown
No separate sourced-claim record is available for this line yet.
Nottingham University confirmed as victim and data published on leak site
structured lineknown
No separate sourced-claim record is available for this line yet.
IOCs include 7 IP addresses and TLS certificate linked to 'azurenetfiles[.]net'
structured lineknown
No separate sourced-claim record is available for this line yet.
Attack uses 'gadget chain' of old and zero-day vulnerabilities
structured lineknown
No separate sourced-claim record is available for this line yet.
Script drops ransom note 'README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT' on PeopleSoft servers
structured lineknown
No separate sourced-claim record is available for this line yet.
The University of Nottingham breach exposed personal data of approximately 454,600 current and former students, including names, addresses, payment and billing information, credit card and payment details, and passport numbers.
nottingham_pii_records_exposedinsured severity anchorvalid from 17 Jun 2026, 14:14Cyber
Market relevance: Quantified PII exposure for a single named UK higher-education insured; usable insured-industry figure for severity banding
the cybercrime group claims to have stolen over 40GB of documents containing student finance data, billing and payment information, credit card and payment details, and campus portal exports” — BleepingComputer · 11 Jun 2026, 07:27 · trade media
Reported indicators of compromise include 7 IP addresses and a TLS certificate linked to the 'azurenetfiles[.]net' infrastructure used by the threat actor.
iocs_azure_netfiles_infrastructureattribution iocvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Published IOCs support detection, incident response, and potential attribution, reducing uncertainty for cyber underwriters and claims teams.
IOCs include 7 IP addresses and TLS certificate linked to 'azurenetfiles[.]net'” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Supersession history: 1 prior/revised claim rows.
Two independent media sources (BleepingComputer trade press and TechCrunch mainstream press) corroborate the core campaign claim.
corroboration_sourcescontextvalid from 16 Jun 2026, 02:12Cyber
Market relevance: multi-source corroboration underpins event classification confidence
Cybercriminals claim breach of Oracle PeopleSoft servers at 100-plus organizations” — techcrunch.com · 10 Jun 2026, 22:00 · mainstream media
ShinyHunters confirmed to BleepingComputer they are behind the attacks” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Indicators of compromise include 7 IP addresses and a TLS certificate linked to the domain 'azurenetfiles[.]net'.
iocs_azurenetfilescyber threat landscapevalid from 15 Jun 2026, 19:55Cyber
Market relevance: Provides actionable IOCs for cyber underwriters and incident-response teams; relevant to active risk assessments on PeopleSoft-using insureds.
IOCs include 7 IP addresses and TLS certificate linked to 'azurenetfiles[.]net'” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Compromised Oracle PeopleSoft servers have been observed with a ransom note file named 'README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT' dropped on the system.
ransom_note_indicatorrisk mitigation indicatorvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Detection and forensic indicator usable by insureds and underwriters for risk selection and incident triage
Script drops ransom note 'README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT' on PeopleSoft servers” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The University of Nottingham has confirmed it is a victim of the ShinyHunters campaign, with stolen data published on the group's leak site; the breach also affected its Malaysia and China campuses.
nottingham_university_confirmed_victimnamed insured indicatorvalid from 17 Jun 2026, 14:14Cyber
Market relevance: Single large UK university victim with regulator-visible PII exposure
The University of Nottingham confirmed a cyber incident by the ShinyHunters extortion gang, exposing personal data of 454,600 current and former students including names, addresses, payment details, and passport numbers.” — BleepingComputer · 11 Jun 2026, 07:27 · trade media
Supersession history: 1 prior/revised claim rows.
ShinyHunters confirmed to trade media that it is conducting a data-theft and extortion campaign against Oracle PeopleSoft servers, claiming roughly 300 instances compromised across 100+ organizations.
shinyhunters_claims_peoplesoft_campaignaggregation risk signalvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Cyber extortion targeting enterprise ERP platform with potential multi-insured exposure
Cybercriminals claim breach of Oracle PeopleSoft servers at 100-plus organizations” — techcrunch.com · 10 Jun 2026, 22:00 · mainstream media
Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from over 100 organizations.” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Supersession history: 1 prior/revised claim rows.
Reported indicators of compromise include 7 IP addresses and a TLS certificate linked to the domain 'azurenetfiles[.]net'.
iocs_ips_and_tls_certrisk mitigation indicatorvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Actionable IOCs for detection, hunting, and underwriting diligence on insured exposure
IOCs include 7 IP addresses and TLS certificate linked to 'azurenetfiles[.]net'” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
ShinyHunters has confirmed to BleepingComputer that it is behind the data theft and extortion campaign targeting Oracle PeopleSoft servers.
campaign_shinyhunters_peoplesoft_attributionthreat intelCyber
Market relevance: Tracks the threat actor behind a multi-organization PeopleSoft campaign, relevant for cyber underwriting threat-intel context.
Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Attackers drop a ransom note named 'README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT' on compromised PeopleSoft servers as part of the extortion workflow.
ransom_note_dropped_on_serversthreat intelCyber
Market relevance: Confirms ransomware-style extortion workflow against PeopleSoft hosts.
Script drops ransom note 'README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT' on PeopleSoft servers” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Supersession history: 1 prior/revised claim rows.
The University of Nottingham has confirmed being a victim, with data published on the ShinyHunters leak site.
nottingham_university_victim_confirmednamed insured loss indicatorCyber
Market relevance: confirms a UK higher-education victim with published data; informs cyber and education-sector exposure
Nottingham University confirmed as victim and data published on leak site” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
ShinyHunters has confirmed to BleepingComputer that it is behind the Oracle PeopleSoft data theft attacks.
shinyhunters_claim_attributionthreat actor attributionCyber
Market relevance: establishes threat actor identity for cyber-underwriting loss models
Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
No public insured-loss estimate, no named insured cyber claim, and no market pricing movement have been disclosed in the supplied context.
no_insured_loss_estimate_publicseverity floorvalid from 17 Jun 2026, 14:14Cyber
Market relevance: Absence of quantified insured loss caps severity projection; the ~454,600-record Nottingham PII exposure is a usable insured-industry floor for single-victim severity banding
BleepingComputer · 11 Jun 2026, 07:27 · trade media
BleepingComputer · 10 Jun 2026, 18:31 · trade media
Oracle has not publicly disclosed or commented on the ShinyHunters campaign or on the alleged use of a PeopleSoft zero-day.
oracle_no_public_commentuncertainty indicatorvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Absence of vendor confirmation caps systemic-severity projection and leaves exploit status unresolved
Oracle has not publicly disclosed or commented on the attacks” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Supersession history: 1 prior/revised claim rows.
Event lifecycle is classified as developing, promoted after at least two corroborating sources were ingested.
lifecycle_status_developinglifecycle indicatorvalid from 16 Jun 2026, 02:12Cyber
Market relevance: supports active monitoring posture for cyber underwriters
signal -> developing” — Source · 16 Jun 2026, 17:18
Event lifecycle is set to 'developing' on the basis of multiple corroborating sources.
lifecycle_developinglifecycle contextCyber
Market relevance: reflects event is in active development; underwriters should monitor for escalation
techcrunch.com · 10 Jun 2026, 22:00 · mainstream media
BleepingComputer · 10 Jun 2026, 18:31 · trade media
This event remains at the signal/lifecycle stage with no evidence of a concrete London Market insured loss pathway.
event_lifecycle_signallifecycle statusvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Lifecycle stage supports low London Market materiality rating pending further corroboration.
BleepingComputer · 10 Jun 2026, 18:31 · trade media

Reported25 lines

Most affected organizations are in education sector
structured linereported
No separate sourced-claim record is available for this line yet.
Attempted to breach FBI portal running PeopleSoft but failed
structured linereported
No separate sourced-claim record is available for this line yet.
Oracle has not publicly disclosed or commented on the attacks
structured linereported
No separate sourced-claim record is available for this line yet.
The University of Nottingham breach exposed personal data of 454,600 current and former students, including names, addresses, payment details, and passport numbers, and also affected the university's Malaysia and China campuses.
nottingham_breach_individuals_affectedclaims watchCyber
Market relevance: Large PII volume drives potential first-party cyber and regulatory exposure for a UK higher-education institution.
exposing personal data of 454,600 current and former students including names, addresses, payment details, and passport numbers” — BleepingComputer · 11 Jun 2026, 07:27 · trade media
ShinyHunters and trade reporting state that the majority of claimed victims are in the education sector, particularly universities.
education_sector_concentrationsector concentration indicatorvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Concentrated sector exposure limits broad-market spread but creates targeted higher-education accumulation risk
primarily in education” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Supersession history: 1 prior/revised claim rows.
ShinyHunters claim they attempted to breach an FBI portal running Oracle PeopleSoft but were unsuccessful.
fbi_portal_attempt_failedtail risk indicatorvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Attempted compromise of a US federal system elevates geopolitical and regulatory tail risk, but no loss event is reported
Attempted to breach FBI portal running PeopleSoft but failed” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Supersession history: 1 prior/revised claim rows.
ShinyHunters attempted to breach an FBI portal running PeopleSoft but failed.
fbi_portal_breach_attempt_failedcontextCyber
Market relevance: Public-sector targeting context; no successful government compromise confirmed.
Attempted to breach FBI portal running PeopleSoft but failed” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
ShinyHunters reportedly attempted to breach an FBI portal running Oracle PeopleSoft but the attempt was unsuccessful.
fbi_portal_attempt_unsuccessfulattempted targetvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Reported unsuccessful attempt against a US federal system reduces near-term critical-infrastructure escalation concerns.
Attempted to breach FBI portal running PeopleSoft but failed” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Attackers are reported to use a 'gadget chain' combining older, previously disclosed vulnerabilities with alleged zero-day exploits against Oracle PeopleSoft servers.
attack_uses_gadget_chainvulnerability underwritingvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Mixing known and alleged zero-day flaws is relevant to underwriting and patching risk on an enterprise ERP/HR platform used by large institutions.
Attack uses 'gadget chain' of old and zero-day vulnerabilities” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
ShinyHunters has claimed responsibility to BleepingComputer for widespread data theft attacks against Oracle PeopleSoft servers.
shinyhunters_claimed_attributionaggregation scenariovalid from 15 Jun 2026, 19:55Cyber
Market relevance: establishes threat actor relevant to cyber underwriting aggregation scenarios
ShinyHunters confirmed to BleepingComputer they are behind the attacks” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Attackers reportedly combine a chain of older vulnerabilities with alleged zero-day exploits against Oracle PeopleSoft ('gadget chain').
exploit_chain_known_and_zero_dayaggregation scenariovalid from 15 Jun 2026, 19:55Cyber
Market relevance: vendor-validated zero-day would materially expand cyber aggregation
Attack uses 'gadget chain' of old and zero-day vulnerabilities” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Published indicators include 7 IP addresses and a TLS certificate linked to the domain 'azurenetfiles[.]net'.
iocs_publishedtechnical contextvalid from 15 Jun 2026, 19:55Cyber
Market relevance: enables cyber underwriter and incident response triage
IOCs include 7 IP addresses and TLS certificate linked to 'azurenetfiles[.]net'” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The campaign reportedly uses a 'gadget chain' mixing older Oracle PeopleSoft vulnerabilities with an alleged zero-day exploit.
exploit_chain_old_plus_zero_dayvulnerability severity indicatorCyber
Market relevance: if confirmed zero-day, systemic exposure across the PeopleSoft estate rises sharply
Attack uses 'gadget chain' of old and zero-day vulnerabilities” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
ShinyHunters is reported to chain older Oracle PeopleSoft vulnerabilities with alleged zero-day exploits to compromise servers, drop ransom notes, and then issue extortion demands.
attack_chain_old_and_zero_dayvulnerability indicatorvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Mix of known and unpatched exploits affects patching-driven loss prevention and accumulation modeling
Attack uses 'gadget chain' of old and zero-day vulnerabilities” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
ShinyHunters claims to have stolen data from approximately 300 Oracle PeopleSoft instances across 100+ organizations.
campaign_scale_300_instances_100_orgsthreat intelCyber
Market relevance: Threat-actor reported scale; relevant to cyber accumulation awareness.
Cybercriminals claim breach of Oracle PeopleSoft servers at 100-plus organizations” — techcrunch.com · 10 Jun 2026, 22:00 · mainstream media
claims to have stolen data from over 100 organizations” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
ShinyHunters claims to have stolen over 40GB of documents containing student finance data, billing and payment information, credit card and payment details, and campus portal exports from the University of Nottingham.
nottingham_stolen_data_typesclaims watchCyber
Market relevance: Credit card/payment data categories elevate PCI and fraud-related exposure considerations.
the cybercrime group claims to have stolen over 40GB of documents containing student finance data, billing and payment information, credit card and payment details, and campus portal exports” — BleepingComputer · 11 Jun 2026, 07:27 · trade media
Published indicators of compromise include 7 IP addresses and a TLS certificate linked to the domain 'azurenetfiles[.]net'.
iocs_ips_and_tls_certificatethreat intelCyber
Market relevance: Network IOCs for insured detection and incident response.
IOCs include 7 IP addresses and TLS certificate linked to 'azurenetfiles[.]net'” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The campaign reportedly uses a 'gadget chain' combining older Oracle PeopleSoft vulnerabilities with an alleged zero-day exploit.
vulnerability_chain_old_plus_zero_daythreat intelCyber
Market relevance: Reported zero-day could elevate insured patching/EOL exposure if confirmed.
Attack uses 'gadget chain' of old and zero-day vulnerabilities” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Most reported affected organizations are in the education sector, with the University of Nottingham the only named confirmed victim in the supplied context.
victim_concentration_educationsector exposureCyber
Market relevance: Higher-education cyber accumulation is the primary near-term underwriting focus.
The University of Nottingham confirmed a cyber incident by the ShinyHunters extortion gang” — BleepingComputer · 11 Jun 2026, 07:27 · trade media
Most affected organizations are in education sector” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
ShinyHunters claims to have stolen data from approximately 300 Oracle PeopleSoft instances across 100+ organizations.
peoplesoft_instance_count_claimaggregation scenariovalid from 15 Jun 2026, 19:55Cyber
Market relevance: scale of claimed compromise frames cyber aggregation potential
100-plus organizations” — techcrunch.com · 10 Jun 2026, 22:00 · mainstream media
claims to have stolen data from over 100 organizations” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Attackers drop a ransom note named 'README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT' on compromised Oracle PeopleSoft servers.
ransom_note_droppedloss vector indicatorvalid from 15 Jun 2026, 19:55Cyber
Market relevance: supports cyber extortion loss pathway modelling
Script drops ransom note 'README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT' on PeopleSoft servers” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
ShinyHunters claim the campaign reached 100+ organizations.
shinyhunters_scope_claim_100_orgsaggregate exposure sizingCyber
Market relevance: broadens potential insured population for cyber treaty accumulation
100-plus organizations” — techcrunch.com · 10 Jun 2026, 22:00 · mainstream media
ShinyHunters claim to have stolen data from approximately 300 Oracle PeopleSoft instances.
shinyhunters_scope_claim_300_instancesaggregate exposure sizingCyber
Market relevance: size of claimed attack surface; relevant to aggregate exposure assessment
Cybercriminals claim breach of Oracle PeopleSoft servers at 100-plus organizations” — techcrunch.com · 10 Jun 2026, 22:00 · mainstream media
claims to have stolen data from over 100 organizations” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
ShinyHunters claims the campaign has impacted more than 100 organizations.
claimed_organization_count_100_pluscyber threat landscapevalid from 15 Jun 2026, 19:55Cyber
Market relevance: If validated, breadth of victim organizations increases aggregate exposure in education and other sectors using PeopleSoft.
claims to have stolen data from over 100 organizations” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
ShinyHunters claims to have compromised approximately 300 Oracle PeopleSoft instances.
claimed_instance_count_300cyber threat landscapevalid from 15 Jun 2026, 19:55Cyber
Market relevance: Scale of claimed compromise if validated would materially raise cyber extortion severity in education sector.
claims to have stolen data from over 100 organizations” — BleepingComputer · 10 Jun 2026, 18:31 · trade media

Uncertain24 lines

Whether a true Oracle PeopleSoft zero-day is being exploited (Oracle has not confirmed)
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Total number of confirmed victims vs claims by threat actor
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Scope of data stolen from each compromised instance
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Whether non-education sector organizations are also affected
structured lineuncertain
No separate sourced-claim record is available for this line yet.
The scope of data stolen from each compromised Oracle PeopleSoft instance remains unknown.
data_scope_per_instance_uncertainloss vector indicatorvalid from 16 Jun 2026, 02:12Cyber
Market relevance: per-record exposure drives privacy/notification loss estimation
Scope of data stolen from each compromised instance” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Whether a true Oracle PeopleSoft zero-day is being exploited is unverified; Oracle has not confirmed the zero-day claim.
zero_day_unverifiedescalation drivervalid from 16 Jun 2026, 02:12Cyber
Market relevance: vendor-validated unpatched zero-day would materially raise cyber aggregation
Whether a true Oracle PeopleSoft zero-day is being exploited (Oracle has not confirmed)” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The total number of confirmed victims versus claims made by the threat actor remains unclear; only the University of Nottingham is publicly confirmed so far.
confirmed_vs_claimed_victims_uncertainuncertainty drivervalid from 16 Jun 2026, 02:12Cyber
Market relevance: limits near-term insured loss aggregation modelling
Total number of confirmed victims vs claims by threat actor” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Whether organizations outside the education sector are also affected remains unconfirmed beyond the University of Nottingham.
non_education_sector_exposure_uncertainescalation drivervalid from 16 Jun 2026, 02:12Cyber
Market relevance: expansion beyond education would broaden cyber aggregation scope
Whether non-education sector organizations are also affected” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Whether a true Oracle PeopleSoft zero-day is being exploited is unconfirmed; Oracle has not publicly disclosed or commented.
zero_day_unconfirmed_by_oraclevulnerability severity indicatorCyber
Market relevance: vendor confirmation of a true zero-day would materially raise cyber market concern
Oracle has not publicly disclosed or commented on the attacks” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The scope of data stolen from each compromised instance is not publicly known.
scope_stolen_data_uncertainuncertainty flagCyber
Market relevance: per-record notification and regulatory cost cannot yet be sized
Scope of data stolen from each compromised instance” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Whether non-education organizations are also affected is not publicly established.
non_education_victims_uncertainsector exposure contextCyber
Market relevance: broadening beyond education would expand cyber accumulation potential
Whether non-education sector organizations are also affected” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The total number of independently confirmed victims remains well below the figures claimed by the threat actor.
confirmed_vs_claimed_victims_gapuncertainty caveatvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Gap between threat-actor claims and confirmed victims materially affects severity calibration for cyber insurers.
Total number of confirmed victims vs claims by threat actor” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The attackers are reported to use a 'gadget chain' combining older vulnerabilities and an alleged zero-day against Oracle PeopleSoft; Oracle has not confirmed a zero-day.
exploit_chain_includes_zero_dayvulnerability exposurevalid from 15 Jun 2026, 19:55Cyber
Market relevance: If an unpatched zero-day is confirmed, severity for unpatched PeopleSoft estates rises sharply across all sectors.
Attack uses 'gadget chain' of old and zero-day vulnerabilities” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
It is uncertain whether non-education sector organizations are also affected by the campaign.
non_education_exposure_uncertainuncertainty caveatvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Determines whether cyber exposure broadens beyond education into corporate, public-sector, and financial services books.
Whether non-education sector organizations are also affected” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The total number of confirmed victims versus the threat actor's claim of 100+ organizations remains unverified; only the University of Nottingham is independently confirmed in the supplied context.
victim_count_vs_claim_uncertainuncertaintyCyber
Market relevance: Limits reliable accumulation sizing until independent victim disclosures are published.
The University of Nottingham confirmed a cyber incident by the ShinyHunters extortion gang” — BleepingComputer · 11 Jun 2026, 07:27 · trade media
Total number of confirmed victims vs claims by threat actor” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Whether a true Oracle PeopleSoft zero-day is being exploited remains unconfirmed; Oracle has not publicly disclosed or commented on the attacks.
zero_day_status_unconfirmed_by_oracleuncertaintyCyber
Market relevance: Vendor confirmation of a zero-day would materially change severity and patching assumptions for insureds.
Whether a true Oracle PeopleSoft zero-day is being exploited (Oracle has not confirmed)” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
It remains uncertain whether a true Oracle PeopleSoft zero-day is being exploited, as Oracle has not confirmed the claim and the threat actor's description mixes known and unknown vulnerabilities.
zero_day_exploit_unconfirmedsystemic risk pathwayvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Confirmation of an unpatched zero-day against a widely deployed ERP/HR platform would materially raise systemic cyber insured-loss potential.
Whether a true Oracle PeopleSoft zero-day is being exploited (Oracle has not confirmed)” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The total number of confirmed victims is uncertain; the 300-instance / 100+ organization figure is a threat-actor claim rather than an independently verified count.
total_victim_count_uncertainexposure uncertaintyvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Unverified victim counts limit ability to size aggregate cyber insured exposure from this campaign.
Total number of confirmed victims vs claims by threat actor” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The scope of data stolen from each compromised Oracle PeopleSoft instance has not been disclosed and remains uncertain.
scope_of_stolen_data_uncertainloss severity uncertaintyvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Data scope per victim drives notification costs, regulatory exposure, and aggregate cyber loss estimates.
Scope of data stolen from each compromised instance” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Supersession history: 1 prior/revised claim rows.
It is uncertain whether non-education-sector organizations, including regulated industries or critical infrastructure, are also affected by the ShinyHunters PeopleSoft campaign.
non_education_impact_uncertainsector expansion riskvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Spread into regulated or critical-infrastructure sectors would materially raise insured severity and systemic risk concerns.
Whether non-education sector organizations are also affected” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The total number of independently confirmed victims is unclear; the 100+ figure is a threat-actor claim rather than a verified count.
confirmed_victim_count_uncertainaggregation uncertaintyvalid from 17 Jun 2026, 14:14Cyber
Market relevance: Confirmed-victim count is the principal driver of insured-severity scaling and is presently anchored by a single UK university
Total number of confirmed victims vs claims by threat actor” — BleepingComputer · 11 Jun 2026, 07:27 · trade media
Supersession history: 1 prior/revised claim rows.
Whether a true Oracle PeopleSoft zero-day is being exploited remains unconfirmed; Oracle has not disclosed or commented, and the claim relies on threat-actor attribution.
true_zero_day_unconfirmedseverity levervalid from 17 Jun 2026, 14:14Cyber
Market relevance: Zero-day confirmation is the principal escalation vector; its absence caps systemic severity
Whether a true Oracle PeopleSoft zero-day is being exploited (Oracle has not confirmed)” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The scope of data stolen from each compromised Oracle PeopleSoft instance has not been publicly disclosed beyond the Nottingham case.
per_instance_data_scope_uncertainseverity uncertaintyvalid from 17 Jun 2026, 14:14Cyber
Market relevance: Limits ability to project aggregate notification costs and regulatory fines across the campaign
Scope of data stolen from each compromised instance” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
It remains unconfirmed whether non-education sector organizations (e.g., financial services, healthcare, public sector) are among the compromised instances.
non_education_victim_presence_uncertainseverity levervalid from 17 Jun 2026, 14:14Cyber
Market relevance: Spread into regulated or critical-infrastructure sectors is a principal escalation path for London Market materiality
Whether non-education sector organizations are also affected” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Supersession history: 1 prior/revised claim rows.

Geographic Zone Matches

3 active matches

  • TRIA Certified Areas
    Rule-basedConfidence 100%
  • Pacific Ring of Fire
    Rule-basedConfidence 100%
  • Caribbean Hurricane Zone
    Rule-basedConfidence 100%

Geographic zone matches are RiskEvents spatial/analytical indicators, not coverage determinations or Lloyd's official classifications.

Affected countries

🇨🇳 China🇬🇧 United Kingdom🇲🇾 Malaysia🇺🇸 United States

Latest developments

  • ShinyHunters confirmed it is behind a PeopleSoft data-theft campaign claiming ~300 instances and 100+ organizations. BleepingComputer
  • The University of Nottingham confirmed it is a ShinyHunters victim, with the UK, Malaysia and China campuses affected. BleepingComputer
  • The Nottingham breach exposed data of ~454,600 students, including payment and passport details, anchoring a credible single-victim insured-severity floor. BleepingComputer
  • Reporting indicates the campaign is concentrated in the education sector, particularly universities. BleepingComputer
  • Attackers are reported to combine older PeopleSoft vulnerabilities with alleged zero-day exploits, then issue extortion demands. BleepingComputer
  • A ransom note file 'README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT' has been observed on compromised PeopleSoft servers. BleepingComputer
  • IOCs include 7 IP addresses and a TLS certificate linked to 'azurenetfiles[.]net'. BleepingComputer
  • Oracle has not publicly commented on the campaign or on the alleged zero-day. BleepingComputer

Timeline

Status Change18 Jun 2026, 04:44

Status changed to active

evidence_trigger: developing_promotion

developing -> active

Corroboration18 Jun 2026, 04:44

A threat actor claims to have breached Oracle PeopleSoft enterprise resource planning (ERP) systems used by more than 100 organizations, potentially exposing sensitive HR, payroll, and personal data. The scale of the claimed breach across a widely deployed ERP platform raises significant supply chain cyber exposure concerns for London market cyber underwriters.

Source: digit.in (Mainstream Media) · View source

Intelligence Refresh18 Jun 2026, 03:40
Escalation18 Jun 2026, 03:40

AI impact assessment increased

London Market materiality remains low to moderate. One large UK higher-education victim is now confirmed, with a named UK regulator-visible PII count (~454,600 records including payment and passport data) that supports a meaningful first-party cyber loss and regulatory exposure for that single insured. However, there is still no confirmed named insured cyber loss across the broader 100+ claimed victim set, no loss estimate, no systemic outage, and no vendor confirmation of a true zero-day, all of which cap near-term systemic severity. The 454,600-record single-victim PII exposure is a usable insured-industry figure that can floor (but not cap) the band: it supports a low-to-moderate band given that single-victim ransomware/extortion PII events in higher education have historically settled in the low-to-mid single-digit millions insured range, while still falling well short of systemic thresholds. Materiality could escalate if Oracle confirms a true unpatched zero-day, if the victim footprint broadens into regulated finance, healthcare, or critical infrastructure, or if additional named insureds come forward with quantified losses.

Intelligence Refresh17 Jun 2026, 15:43
Corroboration17 Jun 2026, 14:14

The University of Nottingham confirmed a cyber incident by the ShinyHunters extortion gang, exposing personal data of 454,600 current and former students including names, addresses, payment details, and passport numbers. The breach exploited Oracle PeopleSoft vulnerabilities and also affected the university's Malaysia and China campuses. This is part of a broader campaign by ShinyHunters targeting 100+ organizations worldwide.

Source: BleepingComputer (Trade Media) · View source

Status Change16 Jun 2026, 02:12

Status changed to developing

evidence_trigger: corroboration >= 2

signal -> developing

Corroboration16 Jun 2026, 02:12

A cybercriminal group claims to have breached Oracle PeopleSoft servers at over 100 organizations, primarily universities and educational institutions. The claim, if validated, represents a large-scale supply chain or enterprise application compromise with significant data breach and potential ransom implications across multiple insured entities.

Source: techcrunch.com (Mainstream Media) · View source

Intelligence Refresh15 Jun 2026, 19:58
Initial Detection15 Jun 2026, 19:55

Initial Detection

ShinyHunters is conducting widespread data theft attacks against Oracle PeopleSoft servers, claiming to have compromised 300 instances across 100+ organizations, primarily in education. The attacks exploit old and zero-day vulnerabilities and are followed by extortion demands. Nottingham University has confirmed being a victim with data already published on the group's leak site.

Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from over 100 organizations.

Source: BleepingComputer (Trade Media) · View source

Lloyd's classifications

Tracking this kind of risk? Get an email when Cyber events escalate.

Get alerts
← Back to live events