Skip to content
[email protected]
File security for Windows systems — since 2003

How FileSure Would Have Stopped the Nottingham University PeopleSoft Data Breach

• By Gene Allen

On June 11, 2026, the University of Nottingham disclosed that the ShinyHunters cybercrime gang had stolen over 40GB of student records — affecting 454,600 current and former students. The stolen data included names, addresses, phone numbers, passport numbers, financial records, and academic information from Nottingham’s UK, Malaysia, and China campuses.

The attackers exploited vulnerabilities in the university’s Oracle PeopleSoft instance to gain access. But exploitation is only half the story. The other half — the part that actually matters for data protection — is what happened next.

Every Data Breach Is a File Operation Problem

ShinyHunters didn’t just “access” the student record system. They had to read student data files from the Windows file system, then write those files into a 40GB archive for exfiltration. Both operations — file reads and archive creation — happen at the operating system level, regardless of which PeopleSoft vulnerability got them in the door.

This is where most security tools fail. They focus on detecting the exploit or the malicious process. By the time they detect anything, the files have already been read and packaged. The data is gone.

FileSure Defend operates at the Windows kernel level via a file system filter driver. It intercepts every file operation — open, read, write, create, delete — before it reaches the file system. You define which programs are authorized to access which files. Everything else gets blocked.

For a university protecting student records under FERPA, the rule is straightforward: only the authorized student information system application can read files in the student records directory. Only authorized backup programs can create archive files in that location. Any other program attempting either operation gets blocked and logged immediately.

The Specific FileSure Rule That Would Have Applied

Here’s what a FileSure policy for this scenario looks like:

Protected Path: D:\StudentRecords\* (all files and subdirectories)

Allowed Programs:

  • C:\Program Files\Oracle\PeopleSoft\psapp.exe
  • C:\Program Files\Backup\veeam.exe

Blocked Operations: Read, Write, Create

Action: Block and log all unauthorized attempts

When ShinyHunters’ exploit gave them code execution, their malicious process would have attempted to read the student record files. FileSure would have intercepted that file open operation at the kernel level, checked the process against the authorized list, found no match, and blocked it. The log entry would have fired immediately — complete with process name, user context, timestamp, and the specific file path attempted.

The attackers would have gotten in. They would not have gotten out with the data.

FERPA Compliance Isn’t Just About Access Control

The University of Nottingham reported this breach to the UK’s Information Commissioner’s Office. If this had been a U.S. institution, FERPA would require not just preventing unauthorized disclosure, but also maintaining audit logs of who accessed what, when.

FileSure logs every file operation — allowed or blocked. Your compliance team gets a complete record: which user, which program, which file, which operation, what timestamp. When the auditor asks how you protect student records from unauthorized access, you hand them a log showing every access attempt and every block.

Most institutions rely on Windows Event Logs for this. The problem is that Windows logs access at the permission layer — after the operation is allowed. If an attacker has elevated privileges or exploits a vulnerability that bypasses permissions, Windows has nothing useful to log. FileSure operates independently of Windows permissions. It logs the operation regardless of privilege level.

The Uncomfortable Truth About PeopleSoft and Legacy Systems

Oracle PeopleSoft is enterprise software running critical operations at universities, hospitals, and government agencies worldwide. Much of it runs on older Windows Server versions that can’t easily be replaced or upgraded. These aren’t neglected systems — they’re mission-critical platforms that work, but weren’t built for today’s threat landscape.

ShinyHunters has been systematically exploiting PeopleSoft instances across over 100 organizations. The vulnerability will eventually be patched. The attackers will move to the next vector. This is the whack-a-mole game that IT security has become.

FileSure doesn’t care which vulnerability got the attacker in. It enforces file access policy at the kernel level. The student record files are protected regardless of which exploit is fashionable this month.

454,600 students are now dealing with the consequences of this breach. Their data is out there. It’s not coming back.

The next university that gets hit with a PeopleSoft exploit — or any other exploit — can make a different choice about what happens to their files after the attacker gets in.

Start a free trial at bystorm.com and protect your student records before the next breach.

Source: Nottingham University data breach affects over 450,000 students

Category: Data Loss Prevention

Tags: shinyhunters, peoplesoft, data exfiltration, ferpa, university data breach, kernel filter driver, file system security, student records

Gene Allen

Written by

Gene Allen

Gene Allen is a Windows file security expert with over 20 years of experience developing kernel-level solutions that protect enterprise data from ransomware, unauthorized access, and data loss. As founder of ByStorm Software, he architected FileSure — a patented file auditing and security platform trusted by 200+ organizations across healthcare, financial services, and government. Gene holds two U.S. patents in file system security and access control.

Ready to protect your organization?

Start your free 21-day trial today. No credit card required.

Start Your Free 21-Day Trial