The University of Oxford disclosed a new data breach last week after being informed by its third-party provider, Group GTI, that its CareerConnect career services platform had been compromised.
This platform is also used by other UK educational organizations, such as King’s College London and the University of Manchester, to run their institution-specific career hubs.
Founded in 1096, Oxford is a collegiate research university comprising 43 autonomous colleges with more than 26,000 students and over 5,900 research, teaching and research support staff, and is the oldest university in the English-speaking world.
Oxford University said the CareerConnect platform was breached on May 28 by attackers who gained access to users’ first names, last names, email addresses, and encrypted passwords (for users who do not sign in using Single Sign-On (SSO).
“Alumni, research staff and employer users access CareerConnect with a password set locally on CareerConnect. These passwords were invalidated by GTI and users will be asked to reset their password next time they sign in,” the university said.
“There is no evidence that course information, uploaded files, appointment information, or financial information were involved in this incident. GTI has stated this breach appeared to be focused on gathering credentials which may lead to phishing attempts.”
The institution noted that the incident affected only GTI’s third-party system and that there is no evidence that the attack has compromised university systems. Additionally, GTI and the university have found no evidence that students’ passwords or financial information have been accessed.
It also warned staff, students, and external CareerConnect users that they might be targeted by phishing or scam emails.
This is the second data breach disclosed by Oxford University this year, following the ShinyHunters extortion gang’s breach of Instructure’s Canvas learning management system (LMS), which the university uses, in early May.
After the attack, the hackers claimed to have stolen 280 million records tied to students and staff from 8,809 colleges, school districts, and online education platforms worldwide. Instructure reached an agreement with the cybercrime group, saying that the hackers returned the stolen data and provided shred logs confirming its destruction.
Oxford University confirmed it was one of the victims, adding that its systems were not compromised and that the exposed data was limited to usernames, Canvas email addresses, messages exchanged between users on the platform, course names, and course enrolment information.
An Oxford University spokesperson was not immediately available when contacted by BleepingComputer earlier today for comment on the CareerConnect data breach.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
