Oxford Hit by Two Vendor Data Breaches in Five Weeks

Oxford University’s CareerConnect platform was breached on May 28 through a vulnerability in software provided by Group GTI, a London-based careers-service company, exposing full names, email addresses, and encrypted passwords for alumni, research staff, and employer accounts. The attack is the university’s second confirmed vendor data breach in under five weeks.

The first came when ShinyHunters hit Instructure’s Canvas learning platform in early May, pulling Oxford into a global incident that reached roughly 8,800 institutions and compromised data on up to 275 million users worldwide. The GTI breach is scoped to one institution’s careers platform, but it arrives at a university whose users have already spent weeks watching vendor after vendor disclose security incidents involving their personal data.

GTI’s Security Flaw, Oxford’s Exposed Users

On May 28, Group GTI notified Oxford that an unauthorized party had accessed CareerConnect, the university’s careers platform used by students, alumni, research staff, and employer recruiters to apply for jobs, book appointments, and register for events. The intruder reached first names, last names, and email addresses for every user category in the system.

The extent of the damage turns on login method. Students access the platform through Oxford’s single sign-on (SSO) system, so their passwords were never stored on GTI’s infrastructure and were not exposed. Alumni, research staff, and employer accounts set their own passwords locally on the platform; those accounts also had encrypted passwords taken. The company invalidated all affected passwords immediately, and impacted users will be prompted to set a new one at next login.

Oxford’s official Careers Service breach disclosure breaks down exposure by user type:

• Current students (SSO login): names and email addresses only; passwords were not stored on the platform and are not affected.
• Alumni, research staff, and employer/recruiter accounts: names, email addresses, and encrypted passwords; all affected passwords have been forcibly reset.
• All account types: no evidence of exposure for course records, uploaded files, appointment data, or financial information.

Publicly, the company has said almost nothing about the incident. It told Oxford the attack “appeared to be focused on gathering credentials which may lead to phishing attempts,” the only technical characterization the university received and passed on verbatim to users. The London-based provider has not disclosed how the vulnerability worked, how many accounts were accessed, or whether data was copied or only viewed. It did not respond to press requests for comment. Oxford told student newspaper Cherwell it is “expecting more information from the external provider GTI on precise numbers” of those affected.

Oxford Lost Data Through Two Different Vendors in Thirty Days

The breach lands after a month already defined by vendor security failures. What happened to Oxford user data between late April and late May:

1. April 25: Unauthorized actors first access Canvas systems, per later company disclosures.
2. April 29: Instructure detects the intrusion, revokes unauthorized access, and brings in forensic investigators.
3. May 1: The company publicly confirms the breach. Names, email addresses, student IDs, and some private messages are among the data accessed.
4. May 3: ShinyHunters claims responsibility and sets a ransom deadline of May 7, later extended to May 12.
5. May 7: Canvas login pages at institutions worldwide are defaced with a ransom message. The learning platform goes offline.
6. May 8: Service is restored after the company permanently shuts down its Free-For-Teacher account program, the entry vector the attackers exploited, per the technical incident analysis published by Bitdefender.
7. May 11: Instructure confirms reaching an agreement with ShinyHunters, describing receipt of “digital confirmation of data destruction (shred logs).” CEO Steve Daly apologizes publicly: “You deserved more consistent communication from us, and we didn’t deliver it.”
8. May 15: The FBI’s Internet Crime Complaint Center (IC3) issues an advisory warning students and staff they may be contacted by ShinyHunters directly for payment.
9. May 28: Oxford’s careers platform provider notifies the university of an intrusion through a completely separate vulnerability in entirely different infrastructure.

Oxford confirmed the two incidents are entirely unrelated. Congress had already summoned CEO Steve Daly to a closed-door briefing no later than May 21, focused on the company’s failure to contain the threat actor after the first intrusion.

One Platform, Many Universities

Oxford is not the only institution running the affected technology. The same underlying software, marketed by Group GTI as TargetConnect and used to power the university’s careers service, is deployed at universities across the UK and internationally, per the TargetConnect product page GTI maintains for university customers. The same codebase that was breached at Oxford runs careers platforms at other institutions under the same name.

No confirmation has come from the company that any other TargetConnect deployment was hit in the same attack. No other university had publicly disclosed a matching incident as of publication. That silence carries a real question. If the vulnerability was present across multiple deployments in the same configuration, attackers who knew about it had access to more than one institution from a single exploit. GTI notified Oxford on the day of the attack, which is faster than the prior major vendor breach, where unauthorized access ran for four days before detection. Faster notification for one client is a separate matter from disclosure about the scope of the underlying flaw.

As for what the vulnerability affects beyond Oxford, the company’s public position is silence. Users at other institutions running the same software have no statement from the vendor to work from.

Three Years of the Same Entry Point

Education sector attacks through third-party platforms have followed a consistent track since 2023. In each case below, attackers bypassed the university’s own infrastructure entirely and went through a vendor the institution had entrusted with student or staff identity data.

In each case, the university’s own authentication systems and core infrastructure were untouched. The breach entered through a contracted vendor.

Why Education Tops the Breach Tables

A 2023 UK Government Cyber Security Breaches Survey, cited in North West Cyber Resilience Centre research on higher education attack rates, found 85% of higher education organisations identified breaches or attacks that year. Among those that experienced any incident, 61% reported resulting data breaches or financial loss. The comparable figure for large businesses was 8%.

Researchers trace the gap primarily to attack surface size. A major university operates dozens to hundreds of vendor platforms: learning management systems, student records software, careers portals, research databases, financial processing tools, donor management applications. Each holds some fraction of the institution’s identity data via a separate vendor contract, each is a potential entry point, and budget pressure typically steers IT investment toward functionality and access improvements without dedicated resources to audit every supplier’s security posture.

Jointly with Universities UK, the National Cyber Security Centre (NCSC) has published guidance framing higher education institutions as targets ranging from opportunistic criminals to state-linked actors, with potential impacts described as “catastrophic” in disruption, cost, and reputational terms. Phishing was reported by every single higher education institution that experienced any incident in the 2024 UK breaches survey.

The scale and timing of the Instructure breach, and the demonstrated inability of a major educational technology vendor to contain a threat actor following an initial intrusion, are precisely the kind of systemic vulnerabilities this Committee has a responsibility to examine.

Rep. Andrew R. Garbarino, chairman of the House Committee on Homeland Security, wrote those words to the company’s CEO Steve Daly in a formal letter dated May 11, 2026. Seventeen days later, a different vendor serving Oxford was breached through a completely different flaw.

The Phishing Risk That Outlasts the Patch

Oxford’s guidance to affected users keeps returning to one theme: phishing. The company told Oxford the attackers appeared “focused on gathering credentials which may lead to phishing attempts.” Names and email addresses, which every account type in this breach lost, are the raw material for targeted campaigns. A convincing email arriving in an Oxford alumnus’s inbox that references the institution and the careers service doesn’t need a cracked password to do damage.

For anyone whose name and email address appeared in both vendor disclosures, attackers now hold institutional context from two independent incidents in the same calendar month. The data from each breach is modest on its own; together, it gives attackers richer material for impersonation attempts that look institutional.

Bitdefender’s May advisory on the learning platform breach noted that phishing campaigns “may emerge weeks or months after the breach, well after attention has moved elsewhere.” Oxford’s guidance to careers platform users covers the same ground: watch for suspicious emails appearing to come from the university or the careers service; verify requests for personal or financial information independently; never provide a password in response to an email or message; report anything suspicious to phishing@infosec.ox.ac.uk.

As of publication, the careers service vendor has not confirmed how many individuals were affected by the breach. Oxford says it is still waiting for that number from the external provider.

Frequently Asked Questions

Were Current Oxford Students’ Passwords Exposed in the CareerConnect Breach?

No. Current students sign in to the platform using Oxford’s university-wide single sign-on (SSO) system. Their passwords are managed by Oxford’s own authentication infrastructure and were never stored locally on the careers platform, so they could not have been accessed in this breach. Students using SSO had only names and email addresses potentially exposed. The accounts with credential exposure are alumni, research staff, and employer/recruiter accounts, all of which set passwords directly on the platform.

How Do I Know If My Account Was Affected?

Oxford has said it will contact affected users directly if further action becomes necessary. If you received a university communication specifically about the careers platform security incident, your account was among those flagged. The university has not released a total count of affected accounts, and the vendor has not either. If you hold an alumni, research staff, or employer account and did not receive communication, Oxford has not confirmed your specific data was accessed, but the full scope remains unknown pending figures from the provider.

What Should I Do If My Email Address Was in the Breach?

Change any password you reuse on other services that share your Oxford email address as a login, since credential-stuffing attacks use breach datasets to test the same credentials across other platforms. Watch for phishing emails that appear to come from the university, the careers service, or GTI. Oxford’s published guidance is clear that the university will never ask for a password by email or message. Report suspicious emails to phishing@infosec.ox.ac.uk. If you receive an unsolicited request to verify personal or financial information that seems institutional, confirm through the official Oxford University website before responding.

Could Other UK Universities Have Been Affected by the Same Vulnerability?

Possibly, though no other institution had confirmed a matching incident as of publication. The same software that powers Oxford’s careers platform, sold under the TargetConnect name, is deployed at universities in the UK and internationally. The company has not confirmed whether the security vulnerability that allowed the Oxford breach was also present in other deployments, or whether Oxford was the only affected client. Anyone using a careers platform running the same software at another institution should check with their own university for any security notifications about the incident.