A cyberattack on Australia’s second-largest sugar producer has forced farmers to keep crops in the ground, and looks like denting their incomes. Mackay Sugar, based in the Australian state of Queensland, processes sugar cane farmed in nearby districts. The company disclosed a cyberattack on June 10 and limited operations while it dealt with the fallout. Some operations remain restricted, but the company said on Monday that it managed to perform some manual crushing at its Farleigh Mill site, working with sugar cane that was harvested before the attack. “Significant progress has been made over the weekend in restoring the systems that support cane supply, harvesting, and mill operations,” Mackay Sugar said in a statement. “Steam trials are now underway, and subject to final validation activities, some harvesting is expected to recommence this week in preparation for the staged restart of crushing operations later this week.” While the company is optimistic it can resume crushing, it's advised growers not to harvest their crops for the time being. That edict works for Mackay Sugar because sugar producers need to process crops within 48 hours of harvest. Doing so preserves high sugar content and overall yield. Delaying the processing for any longer after harvesting could result in sucrose converting to simple sugars, unwanted fermentation, and lower yields. But late harvesting can reduce the quality of cane, reducing the price they earn for their crops. Interrupted harvesting also impacts the railways used to move cane from farms to mills. Mackay Sugar acknowledged the impact its downtime could have on growers and other partners, and committed to restoring systems safely. “We are communicating directly and regularly with our employees, growers, and key partners,” it said. “We recognise the impact this incident is having on our growers, and we are doing everything we can to support them and to safely resume full operations as soon as possible. “We take our responsibility to protect our systems, operations, and information very seriously. We apologise for any disruption this incident has caused and will continue to provide updates as we continue our investigation.” The company operates three mills across Queensland, two of which were operating at a limited capacity due to the attack. Its Racecourse Mill, described as the heart of the business and home to its corporate offices, was among those affected. Racecourse Mill typically generates 213,000 tons of raw sugar and 58,000 tons of molasses a year, and the site’s cogeneration plant generates 156,000 MWhs of renewable electricity a year, around 71 percent of which is sent back into the national electricity grid. Mackay’s mill in Farleigh, the company’s oldest, was also affected. It typically produces around 196,000 tons of raw sugar and 49,000 tons of molasses per year. The company’s largest and most productive factory, Marian Mill, was unscathed. Ungentlemanly conduct Cybercrime group The Gentlemen claimed responsibility for the attack on Mackay Sugar, posting the company to its data leak site without offering any details about the attack or whether it stole data to use as leverage for extortion demands. Cyber threat intelligence professionals have known of the group for almost a year, after spotting it in July 2025 and classifying it as a ransomware-as-a-service provider. However, there is no evidence that ransomware was used in the attack on Makay Sugar. The company has never mentioned ransomware in its statements, referring to the attack only as a “cyber security incident.” However, The Gentlemen is known for using file-encrypting malware in its double extortion attacks. The group caught the attention of Microsoft’s researchers, who last month published a deep dive into how it carries out attacks. Microsoft’s report noted that not only do The Gentlemen affiliates have access to a powerful file encryptor, but also one that self-propagates, which “increases the likelihood of widespread impact once initial access is achieved.” It has also recently established a partnership with BreachForums, which allows the group to recruit prospective new affiliates with different skillsets, such as penetration testers and initial access brokers. ®

Cybercrims deploying DragonForce ransomware appear to have gained access to a major US services company's network, then spent two months up to no good while disguising their command-and-control activities as legitimate Microsoft Teams traffic. Researchers at security firm Symantec said the intrusion began with attackers gaining access to the victim's environment before deploying a custom Go-based backdoor, tracked as "Backdoor.Turn," to maintain communication with the compromised systems. Rather than reaching out to attacker-controlled infrastructure that might raise alarms, the backdoor hid its activity inside traffic associated with Microsoft's widely used collaboration platform. To anyone monitoring network traffic, the compromised systems appeared to communicate only with legitimate Microsoft servers. "The attackers in this campaign use exceptionally sophisticated cyber tradecraft," Symantec said. "The configuration of Backdoor.Turn means that security products only see C&C traffic going to legitimate Teams servers, leaving defenders unaware that data is being siphoned away by malicious actors." Symantec said the attackers installed Backdoor.Turn on systems after deploying DragonForce ransomware, potentially giving them a way back into compromised networks or access they could later sell to other criminals. To connect to Microsoft's infrastructure, the backdoor first requested an anonymous visitor token from Microsoft Teams and Skype back-end services. It then used a Microsoft-operated TURN relay server – infrastructure typically used to help establish communication between users – before establishing a direct QUIC connection to a malicious command-and-control server. Symantec said this is the first known case of malware using this particular technique. The security firm did not identify the victim beyond describing it as a major US services company, nor did it say whether the Teams-based communications channel had been observed in other DragonForce incidents. The ransomware operation has become increasingly prominent over the past year, operating a ransomware-as-a-service model that allows affiliates to conduct attacks under the DragonForce banner. It has been linked to the prolific Scattered Spider group, which has conducted a string of high-profile attacks, including intrusions targeting major retailers in the UK. While attackers have long abused legitimate cloud services to conceal malicious traffic, Symantec's findings suggest that DragonForce operators continue to look for ways to blend into the software and infrastructure that organizations trust most. ®

Heart monitoring biz iRhythm says thieves made off with patient health information and tried to turn it into a payday. The California-based cardiac monitoring specialist offers customers a wearable device that collects data, then analyzes it to create reports about heart health. The company said it detected unauthorized activity on June 8 and launched an investigation with the help of third-party cybersecurity experts. A day later, the company received messages from a cybercriminal claiming to have obtained sensitive information, including proprietary company data, protected health information, and other personal information. According to iRhythm's filing with the US Securities and Exchange Commission, the attackers demanded payment in exchange for not publicly disclosing the stolen data. The company confirmed that data had been exfiltrated and, on June 10, determined that the incident was material due to the volume of information potentially affected. While the company disclosed the extortion demand and the existence of stolen data, it made no mention of negotiations. iRhythm spent a good chunk of the filing explaining what the attackers didn't get. According to the company, the intrusion was confined to business applications and never reached its clinical systems, medical devices, or customer connections. Patient care and day-to-day operations were unaffected. The company has not yet disclosed how many individuals may be affected, what data was accessed, or which third-party-hosted applications were involved in the breach. It has also not identified the threat actor behind the attack, and The Reg has found no evidence of major ransomware groups claiming responsibility. The company's filing states the attackers gained access through social engineering. Exactly how that happened remains unclear, although healthcare organizations have increasingly found themselves dealing with phishing campaigns, help desk impersonation scams, and other forms of human-targeted intrusion designed to bypass technical defenses. As of the filing date, iRhythm said it had not identified any ongoing unauthorized access to its systems and believed the incident was unlikely to have a material impact on its financial condition or operating results. The company added that it maintains cyber insurance that may cover some of the losses associated with the breach. iRhythm's disclosure comes less than a week after drug giant Novo Nordisk revealed that attackers had copied patient data from some clinical trials, adding another healthcare name to a growing list of organizations dealing with data theft and extortion attempts. ®

Brits lost £1.28 billion ($1.7 billion) to payment fraud last year as scams continued to thrive on online platforms and telecoms networks, according to the latest figures from banking trade association UK Finance. The 2025 losses represent a modest four percent rise on the previous year, the trade association said, but the main sources of fraud remained familiar. UK Finance said two-thirds (66 percent) of incidents start with online platforms, such as scams promoted through social media adverts. Telecoms accounts for a smaller proportion (17 percent) but encompasses crimes such as impersonation fraud, which can result in larger per-crime losses. Calling for tighter regulations on tech and telecoms, UK Finance said online marketplaces must take measures to reduce scammers' use of their platforms. This could include prohibiting off-platform payments, relying solely on secure alternatives. It also called for stronger action against fraudulent social media advertising. "The financial sector invests huge amounts in protecting customers, but we cannot be the only line of defense," said Ruth Ray, managing director of economic crime at UK Finance. "Almost £1.3 billion was stolen again last year and it is clear we are not tackling the underlying problem effectively enough. "Given most authorized push payment (APP) fraud still starts via online tech platforms or via telecoms, we urgently need stronger, enforceable responsibilities to be placed on these sectors. This is the way to reduce the harm and stop criminals and tech companies profiting from these devastating crimes." APP fraud losses jumped 19 percent in 2025 compared with the year before. Total losses exceeded £576 million ($772.8 million), and consumers incurred the vast majority of these losses. Of the total cases, purchase scams comprised more than seven in ten, with annual losses increasing 20 percent to £118.1 million ($158.4 million). APP fraud involves convincing the victim to pay for something themselves, but the criminal giving the orders is the only party to financially benefit. Crimes that fall under the APP umbrella include investment fraud, romance fraud, and impersonation fraud – all of which saw double-digit percentage increases in case numbers. "What makes APP scams particularly worrying is how much can be lost before a victim even realizes, and how little advice still exists for consumers once it happens," said Aditya Hindocha, VP of account partnerships at SquareTrade Europe. "Device warranties largely won't cover data theft. Home insurance excludes digital losses. Banks may refund some fraudulent transactions, but there's no guarantee. Consumers today lack support for what comes next: restoring stolen funds, recovering a compromised identity, or navigating the months of fallout that follow." Unauthorized payment fraud, under which the remaining offenses fall, accounted for a higher value of total losses (£703.4 million/$943.8 million). While the total value of losses represents a decrease of five percent compared to 2024, the number of cases increased by 11 percent to 3.81 million, according to the latest report [PDF]. Unauthorized fraud encompasses offenses such as online payments made using stolen card details, lost or stolen card fraud (such as ATM skimming, petty card theft), remote banking fraud, and contactless fraud. US faring no better The Federal Trade Commission published figures this week for impersonation fraud in the US, which reached $3.5 billion in associated losses last year. It said that impersonation fraud was the most commonly reported fraud type last year, accounting for nearly one in three cases across 2025. Nearly $1 billion of the total was lost after scammers impersonated a business, with the most common type being banks, and around $920 million as a result of government impersonations, up from $866 million and $789 million respectively in 2024. According to the FBI's annual cybercrime report, published in April, government impersonation fraud saw the biggest increase in case numbers of all offenses, up 128 percent from 2023 to 2025. A separate warning from May 2025 urged citizens to be wary of the common tricks scammers use in these cases, which increasingly involve AI-generated voices to convince victims they are speaking with genuine government representatives. ®

Le parole del testimone

Una testimonianza “che ci ha fatto sobbalzare” spiega il conduttore ai telespettatori parlando di quanto riferito da un uomo che sarebbe stato nei pressi della villa di Via Pascoli il 13 agosto di 19 anni fa. “Abbiamo rintracciato questa persona e abbiamo chiesto di contestualizzare il perché di questa testimonianza” spiega Monteleone prima di trasmettere l’audio della sua conversazione con il testimone, il quale spiega come le sue parole siano state prese sotto gamba tutti, “ma io non ho detto una balla, perché ero lì quel giorno e quello che ho visto me lo ricordo benissimo. L’ho vista, aveva degli occhi spiritati che tu non hai idea e [ai Carabinieri, ndr] ho anche detto: ‘Mi ricordo i dettagli di una bicicletta nera, aveva i raggi che erano lucidi, sembrava una bicicletta nuova’”. “La certezza è una donna coi capelli biondi” lo incalza Monteleone, “Da uomo obiettivamente era una bella ragazza, è chiaro che l’ho osservata con una particolare attenzione”, replica il testimone. “E nella mia sit ho anche spiegato il perché ci ho messo tempo a dirlo. La cosa che mi fa venire il nervoso è che tanti parlano ma non sanno le cose e giudicano”.

“Mi hanno minacciato”

E ancora: “Io non sono di quel territorio, nonostante abiti in provincia di Pavia io non conosco veramente nessuno di Garlasco, non ho rapporti con nessuno. Mi sono sempre occupato di discoteche e di eventi quindi ero là per motivi di lavoro. Ricordo benissimo quello che ho visto, la persona che ho visto mi ha anche guardato, ci siamo guardati in faccia”. Il presunto testimone fa sapere di avere ricevuto minacce: “Sono stato anche minacciato per quello che ho detto, e ho avuto paura perché non so come facevano a sapere quello che ho detto. Mi hanno suonato il campanello di casa dicendomi di farmi i ca**i miei, che io di Garlasco non ne devo sapere niente”. L’uomo, confidandosi con il giornalista, si rammarica anche del fatto che le sue parole finora non siano state tenute in grande considerazione: “Ho fornito tutto e poi però nessuno ti ca*a. Sembra che quello che ho visto io… chi se ne frega. Mi rode dentro il fatto che nessuno si interessi di quello” conclude.

L'articolo Garlasco, spunta il testimone: “Ho visto una donna bionda, aveva degli occhi spiritati. Mi hanno minacciato dicendomi di farmi i ca**i miei” proviene da Il Fatto Quotidiano.

ShinyHunters claims to have breached the Council of Europe and stolen more than 297 GB of data after exploiting a zero-day flaw in Oracle PeopleSoft and abusing that hole to hack more than 100 organizations. According to a post on the extortion crew’s data-leak site, the 429,000 pilfered files contain HR and payroll records, payslips, purchase-order records, CVs, and employees’ salary, banking, tax, and medical records. A Council of Europe spokesperson told The Register that it is “currently investigating the matter and assessing the situation,” but declined to comment further. A spokesperson for the cybercrime group told us that the Council is yet another victim of the Oracle PeopleSoft heist. Oracle has yet to respond to The Register’s inquiries, and it's unclear if the vulnerability, tracked as CVE-2026-35273, has been patched. ShinyHunters previously told us that the gang exploited the CVE to compromise more than 100 organizations across 300 vulnerable instances, and that these victims included the University of Nottingham. Last week, the crims listed the UK uni on their leak site, then dumped data belonging to around 454,600 current and former students, including personal and academic records. Meanwhile, a Google threat report published late last week noted malicious activity, “consistent with the exploitation of CVE-2026-35273,” between May 27 and June 9, and said that its incident responders notified more than 100 global orgs “whose IP addresses correlated with potentially vulnerable endpoints." Most of these are US-based organizations, and 68 percent operated within the higher education sector. This latest heist follows another ShinyHunters intrusion targeting data belonging to university and K-12 students, teachers, and staff. In mid-May, ed-tech giant Instructure said it “reached an agreement” - this is corporate-speak for “paid the ransom demand” - with the data theft and extortion crew after ShinyHunters breached its Canvas digital learning platform and accessed data tied to 275 million students, teachers, and staff. In March, ShinyHunters claimed it stole data from K-12 software provider Infinite Campus as part of a broader wave of Salesforce-related intrusions. The ed tech company did not pay up, and the group subsequently published data they claim was stolen from Infinite Campus, including 137,000 individuals’ email addresses along with names, phone numbers, physical addresses and support tickets. Infinite Campus, in its data breach notification, said that the leaked files largely consisted of “names and contact information for school staff" and that “the majority is directory information commonly found on school websites.” ®

“Marco Fassoni Accetti è il nuovo indagato per la scomparsa di Emanuela Orlandi”: a scriverlo è il quotidiano Repubblica. Mentre si attendono conferme ufficiali, il controverso fotografo romano sarebbe “nel mirino della Procura di Roma” che da tre anni ha riaperto le indagini sulla cittadina vaticana misteriosamente sparita a Roma il 22 giugno del 1983. Nell’ambito di questa inchiesta, la terza su Emanuela Orlandi, ricordiamo che c’è già una persona iscritta nel registro degli indagati, Laura Casagrande.

Le indagini della Procura di Roma

“Accetti è di nuovo indagato per quella scomparsa (di Emanuela, ndr). Il sospetto è che il fotografo romano possa aver fatto parte di una rete di adulti dedita all’adescamento di adolescenti da mettere a disposizione di terzi”, scrive Repubblica. In questa prospettiva sembra quindi prendere forza, rispetto al rapimento della Vatican Girl, la pista della pedofilia già emersa in passato. Rapitore, telefonista, carceriere: per anni Accetti, oggi 70enne, si è attribuito più ruoli nella vicenda di Emanuela Orlandi e anche in quella di Mirella Gregori, che è stata associata alla Orlandi, all’epoca dei fatti (in seguito ai comunicati di fantomatici rapitori). I magistrati già nel 2013, hanno archiviato le sue dichiarazioni definite dagli inquirenti una “sceneggiatura fantasiosa”. In quella occasione, Accetti si autoaccusò davanti ai pm di essere stato il rapitore sia di Emanuela che di Mirella e fu bollato come inattendibile. Ma adesso le cose sembrano cambiate, forse proprio in seguito alla lunga audizione di Accetti davanti alla commissione di inchiesta Orlandi-Gregori. E alcuni casi di scomparsa che hanno segnato la Roma degli anni ’80 potrebbero essere riletti dai magistrati in una nuova prospettiva. “Il ruolo di Accetti continua a essere valutato con estrema cautela dagli investigatori ma oggi si colloca in un quadro più ampio e differente. Quello che i pm stanno verificando non riguarda più solo l’attendibilità delle sue auto accuse”
(fonte: Repubblica). “I carabinieri del Nucleo investigativo di via In Selci stanno ascoltando molti testimoni già sentiti all’epoca e cercandone di nuovi (…)I magistrati stanno inoltre raccogliendo dichiarazioni di uomini e donne che all’epoca erano adolescenti e che oggi raccontano di aver conosciuto il fotografo attraverso la promessa di shooting. L’obiettivo è capire se li accompagnasse in abitazioni private o li introducesse a persone sconosciute” (fonte: Repubblica).

Le novità dell’inchiesta e il caso Garramon

Sempre secondo quanto riporta Repubblica, la novità più evidente delle nuove indagini romane riguarda gli accertamenti su Accetti estesi anche alla scomparsa di Mirella Gregori e ad altri misteri romani di quegli anni. “Il vero punto di rottura dell’indagine coordinata dal pm Stefano D’Arma porta all’Eur, alla Pineta di Castel Porziano e alla morte di un ragazzino di 13 anni, Josè Garramon” fonte: Repubblica). La morte di Garramon risale allo stesso periodo delle misteriose scomparse di Emanuela e Mirella (20 dicembre 1983) ed è stato l’’unico crimine per cui Accetti è stato condannato in via definitiva, per il reato di omicidio colposo e omissione di soccorso. A travolgere il corpo del ragazzino, figlio di un diplomatico uruguaiano, fu proprio Accetti a bordo del suo furgone Ford Transit. Resta un punto oscuro e inspiegabile tuttavia come il bambino, che si era allontanato da casa per andare dal barbiere all’Eur, fosse riuscito ad arrivare quel giorno da solo e al buio in una pineta a 20 chilometri da casa. Chi lo portò a Castel Porziano quel giorno e perché? Ed è proprio alla luce di queste mai risolte incongruenze che i magistrati romani potrebbero voler indagare, per risalire a un ruolo di Accetti nel contesto romano di quegli anni, andando ben oltre l’aura di mitomane depistatore che ha avvolto la sua persona in questi 43 anni.

L’amerikano e Katty Skerl

Secondo quanto riporta Repubblica, i Carabinieri stanno cercando di fare chiarezza anche sulle telefonate dell’Amerikano, l’uomo dall’accento straniero che telefonò a casa di Emanuela Orlandi dell’estate del 1983, identificandosi come il rapitore della ragazza. Accetti, lo ricordiamo, si è autoaccusato anche di essere l’Amerikano. Scopo delle nuove indagini è “stabilire se dietro quelle voci alterate e quelle missive possa esserci stata la mano o la voce di Accetti”, scrive Repubblica. Le autoaccuse di Marco Accetti non si sono limitate ai casi Orlandi e Gregori ma hanno coinvolto anche un altro cold case romano: l’omicidio irrisoolto di Katty Skerl. La 17enne fu ritrovata strangolata in una vigna a Grottaferrata nel gennaio 1984. Nel 2013, Accetti srisse sul suo blog che la bara della ragazza era stata trafugata dal cimitero del Verano e collegò il macabro furto al caso di Emanuela Orlandi. Le sue dichiarazioni caddero nel vuoto ma nel 2022, la Procura dispose l’apertura del loculo che fu ritrovato in effetti vuoto: la bara di Katty era stata realmente rubata. Alla commissione parlamentare d’inchiesta Orlandi-Gregori che lo ha audito per ben sette ore, Accetti ha anche consegnato un lunghissimo memoriale. Dopo 43 anni forse è davvero arrivato il momento di vagliare tutte le confessioni e i racconti di Accetti per chiarire se abbia avuto ruolo in queste oscure vicende, o se sia stato solo un depistatore di professione.

L'articolo “Marco Fassoni Accetti è il nuovo indagato per la scomparsa di Emanuela Orlandi, faceva parte di una rete dedita all’adescamento di adolescenti”: la svolta nelle nuove indagini della Procura di Roma proviene da Il Fatto Quotidiano.

Data theft and extortion group ShinyHunters has exploited a critical Oracle PeopleSoft bug as a zero-day to compromise more than 100 organizations, including the University of Nottingham, across 300 vulnerable instances. A spokesperson for the cybercrime crew on Thursday told The Register that they exploited CVE-2026-35273 to break into the university’s PeopleSoft system and steal 40 GB of personal data and billing records belonging to hundreds of thousands of current and former students. ShinyHunters posted the UK university on its data leak site on Tuesday before publishing the stolen files later that same day, presumably because the school refused to pay the extortion demand. “University of Nottingham on our leak site is one of the first publicly confirmed incidents,” a ShinyHunters spokesperson told us. “We have only just started outreach to affected orgs and are actively looking to reach an agreement with affected orgs.” They didn’t say when they planned to post the other 100 or so claimed victims. A Google threat intelligence report published Thursday afternoon corroborated ShinyHunters’ claims to have compromised more than 100 organizations. Google said it spotted malicious activity, “consistent with the exploitation of CVE-2026-35273,” between May 27 and June 9, and notified more than 100 global orgs “whose IP addresses correlated with potentially vulnerable endpoints." Most of these, we’re told, are based in the US and 68 percent are in the higher-education sector. PeopleSoft is a widely used enterprise software suite that large corporations and institutions use to manage their human resources, payroll and billing applications, supply chains, and student records. CVE-2026-35273 is a 9.8 CVSS-rated vulnerability that allows remote, unauthenticated attackers with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools and fully take over the platform. On Wednesday, a day after ShinyHunters leaked the school’s data, the University of Nottingham confirmed the breach and Oracle issued an out-of-band security alert. It’s unclear, however, if the software provider has issued a patch to fix the security flaw. The Register reached out to Oracle, and did not receive any response to our questions. Google-owned Mandiant Chief Technology Officer Charles Carmakal, in a brief LinkedIn post on Thursday, warned that PeopleSoft was one of two zero-day vulnerabilities “actively being exploited in the wild.” “Oracle released mitigations,” Carmakal wrote. “Patches should come soon.” The other zero-day, for the record, is this Cisco Catalyst SD-WAN Manager vulnerability.®

Great Marlow School in Buckinghamshire, England, has entered its second day of a shutdown following "a suspected malware incident." Only students sitting their GCSE and A-level exams – those in Years 11 and 13 – were permitted to attend on Wednesday, in line with their exam timetable, and the same goes for Thursday. Students in other years (Years 6-10 and Year 12) were told to stay at home and access what revision materials they can via Microsoft Teams as teachers are currently unable to set them any work. Those scheduled to take internal mock exams, students in Years 10 and 12, will sit them later in the year. Some extracurricular activities, such as Year 7's learn-to-row session, have been rearranged, although the 7 and 8 athletics event will go ahead on Thursday as planned. Great Marlow School's statement suggests it remains in the containment stage of its recovery, with limited access to systems. "As a precautionary measure, we have restricted access to elements of our network while we investigate the issue thoroughly and take the necessary steps to ensure the security and integrity of our systems and data," headteacher Guy Pendlebury said in a statement on the school's website on Tuesday evening. "We are responding in line with guidance from the Department for Education (DfE) and the National Cyber Security Centre (NCSC). Immediate action has been taken to contain the incident, and we are working closely with specialist IT and cybersecurity professionals to fully assess the situation and restore normal operations as quickly and safely as possible. Appropriate reporting procedures have also been followed." The school did not comment on whether the attack involved ransomware or if any of its data was presumed compromised. It adds to a grim week for cybersecurity in the education sector. A high school in Illinois also closed for two days this week due to a ransomware attack, but reopened on Wednesday, although its phone lines are still down. And Nottingham Uni confirmed it was the victim of Shiny Hunters. In Wales, 13 schools across the Powys region were affected by a cyberattack that is thought to have led to data theft from only one of these institutions. Powys council disclosed the attack on June 4, saying it was originally identified in April, and sensitive data belonging to students and school staff is suspected of being compromised. None of the 13 schools have closed, however. ®

The University of Nottingham has confirmed a cyberattack on its student record system after the ShinyHunters crew claimed to have stolen tens of gigabytes of data from the Russell Group institution. "The University of Nottingham has been the victim of a cyber incident and a significant amount of data in our student record system has been accessed by a well-known cybercriminal group," a spokesperson told The Register. "We are working with the third party that maintains the platform to lead a forensic investigation. We understand that those affected will have concerns about what this means for their personal data and we will be offering advice and support to our students as we learn more. "We take the privacy and security of data that we hold seriously, and we have reported this incident to Action Fraud and the Information Commissioner's Office. The university will continue to provide them with further information as our investigation progresses." ShinyHunters claimed responsibility for the attack on Tuesday, saying they had stolen around 40 GB of the institution's data. It reckons this included billing and payment records, credit card and payment details, student finance data, and "campus portal exports." The criminal crew further claimed that the University of Nottingham's Malaysia and China campuses were also compromised. On Wednesday evening, breach notification service Have I Been Pwned added the 10 GB dataset leaked by ShinyHunters to its database, saying around 454,600 university-related email addresses were included. "Tens of gigabytes of data were subsequently published online and included 455k unique email addresses along with extensive personal information, including names, addresses, phone numbers, ethnicities, disabilities, passport numbers, and information relating to academic enrolments and fee payments," HIBP stated. Around the same time, the university acknowledged the attack publicly, saying it affected both current students and alumni. Individuals believed to be affected have been contacted directly, and the university has stood up a dedicated support line. The attack could hardly have come at a worse time for Nottingham, which is embroiled in a dispute with staff after confirming hundreds of redundancies over the next three years. University employees, including teaching staff, have revolted, protesting against the decision by refusing to mark students' assessments. The University and College Union (UCU) entered a period of industrial action on June 1, saying it would not end until July 31. This includes a two-month strike and a boycott of marking duties, similar to action taken by staff in 2022 and 2023. Students have just finished sitting their end-of-year exams, but potentially face having their degree classification decided by predictions based on prior grades, per the university's contingency plans, if staff continue to refuse to carry out marking duties. Alternatively, students can wait to receive their final results, but these will come later than their peers' – not just at Nottingham but at other UK universities – and leave them at a time disadvantage when applying for graduate schemes and entry-level jobs. UK education battered The attack on the University of Nottingham comes amid a spate of other incidents affecting UK schools. Powys council confirmed on June 4 that a cyberattack was affecting 13 schools in the Welsh county, and that data had been stolen from at least one of them. Additionally, Great Marlow School in Buckinghamshire entered its second day of a shutdown today after a "suspected malware attack" on the school forced it into a containment phase. Most students, other than those attending to take their GCSE and A-level exams, have been told to stay home, with teachers unable to set remote work. Students should access what revision materials they can via the school's Microsoft Teams network. ®