Oxford University CareerConnect (Group GTI) SaaS breach

incident · incident:oxford-careerconnect-breach

Coverage timeline

first 2026-06-09 → last 2026-06-09

Briefs

1 distinct

Sources cited

11 hosts

Sections touched

active_threats

Co-occurring entities

see Related entities below

Story timeline

2026-06-09CTI Daily Brief — 2026-06-09
active_threatsFirst coverage. Third-party SaaS breach 2026-05-28 across Oxford/KCL/Manchester; names+emails+non-SSO encrypted passwords; credential-harvest motive.

Where this entity is cited

active_threats1

Source distribution

bleepingcomputer.com3 (23%)
careers.ox.ac.uk1 (8%)
theregister.com1 (8%)
blog.xlab.qianxin.com1 (8%)
dutchnews.nl1 (8%)
nltimes.nl1 (8%)
securityweek.com1 (8%)
techcrunch.com1 (8%)
other3 (23%)

Related entities

BKA + ZIT dismantle relaunched Crimenetwork darknet marketplace; German operator arrested in Mallorca on European Arrest Warrant (2026-05-08)
incidentincident:bka-crimenetwork-takedown-2026×1
Breach at billing processor Unimed exfiltrates ~97,600+ patient records from six German university hospitals (attribution open)
incidentincident:unimed-german-hospitals-2026×1
Dutch National Police arrest 35-year-old from Buren over AFC Ajax breach — 300k+ fan accounts and 42k+ season tickets exposed via misconfigured API access-control and shared keys
incidentitem:afc-ajax-amsterdam-arrest-2026-05-26-300k-fan-records-shared-keys-misconfigured-api×1
Dutch Police + NCSC dismantle Asocks residential-proxy botnet — 17M devices, 200 NL-hosted servers seized
campaignitem:dutch-police-ncsc-asocks-residential-proxy-takedown×1
Google Threat Intelligence Group AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW; AI-augmented malware (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE); state-actor Gemini abuse (UNC2814, APT45, APT27, UNC5673)
annual-reportannual-report:gtig-ai-threat-tracker-may-2026×1
Instructure (Canvas LMS) data breach — student and educator data
incidentincident:instructure-canvas-2026×1
Meta contempt complaint vs NSO Group over new WhatsApp spyware phishing
incidentincident:meta-nso-whatsapp-contempt×1
UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC (cldflt.sys CfAbortHydration, claimed CVE-2020-17103 regression on fully patched Win11)
campaignitem:windows-zero-day-proliferation-yellowkey-greenplasma-minipla×1

All cited sources (13)

Items in briefs about Oxford University CareerConnect (Group GTI) SaaS breach (2)

Oxford University CareerConnect (Group GTI) breach exposes students at multiple UK universities

From CTI Daily Brief — 2026-06-09 · published 2026-06-09 · view item permalink →

The University of Oxford disclosed a breach after Group GTI, the third-party provider of the CareerConnect career-services platform, reported its systems were compromised on 28 May 2026 (BleepingComputer, 2026-06-08; Oxford Careers Service, 2026-06-01). Exposed data includes student first names, last names and email addresses; for users who do not authenticate via institutional Single Sign-On, encrypted passwords were also taken. CareerConnect is used by Oxford, King's College London and the University of Manchester among others, so the breach spans multiple UK higher-education institutions (BleepingComputer, 2026-06-08); The Register notes further unnamed UK and overseas institutions are affected (The Register, 2026-06-06). GTI assessed the intrusion as credential-harvest oriented, raising the likelihood of follow-on phishing against institutional email addresses.

Defender takeaway: SSO adoption directly limited blast radius here — SSO users' passwords stayed with the identity provider, leaving only names and emails exposed. The case reinforces segregation of authentication credentials away from in-app stores and treating shared SaaS career/HR platforms as part of the institutional attack surface. Swiss Hochschulen using shared SaaS career portals should expect targeted phishing waves against the harvested address sets.

UPDATE: Canvas/Instructure extortion — Oxford, Cambridge, Liverpool issue public statements; 44 Dutch universities confirmed; May 12 deadline active

From CTI Daily Brief — 2026-05-09 · published 2026-05-09 · view item permalink →

UPDATE (originally covered 2026-05-08):

As of the window close (2026-05-09 06:00 UTC), no ransom payment has been made and no further data dump has been published. Three major UK universities issued public statements: University of Oxford confirmed it is working with Instructure and the NCSC-UK; University of Cambridge issued a statement acknowledging that "student and staff data may have been affected" and referred staff to the National Cyber Security Centre guidance; University of Liverpool confirmed it had notified the Information Commissioner's Office under Article 33 GDPR and is conducting a forensic investigation. Universiteiten van Nederland (UNL) confirmed that 44 member institutions are potentially affected, representing all Dutch research universities and applied science universities; the Dutch DPA (Autoriteit Persoonsgegevens) has opened a preliminary investigation.

The threat actor (WorldLeaks) set a 2026-05-12 payment deadline; the extortion amount was stated as €3.2 million. WorldLeaks previously published a 3 GB sample dataset on 2026-05-07 containing course-IDs, student email addresses, assignment metadata, and grade records across four UK institutions. No passwords, payment data, or national identification numbers were present in the sample. Instructure issued a public statement on 2026-05-08 confirming the breach vector was a compromised integration service account for a third-party LTI tool provider (not Canvas core infrastructure), and that the issue was isolated. Instructure stated it notified affected institutions on 2026-05-01 and has been working with law enforcement.