RiskEvents

Developing event. Generated by AI and subject to further corroboration and review.

DevelopingLow impactAI Refreshed

ShinyHunters extortion gang claims data theft from 100+ Oracle PeopleSoft instances

Occurred 9 Jun 2026·Detected 15 Jun 2026·
🇺🇸 Global targeting of Oracle PeopleSoft server instances, with confirmed victim in Nottingham, UK2 reports
CyberCyberCasualty & Liability

ShinyHunters claims data theft from approximately 300 Oracle PeopleSoft instances across 100+ organizations, with reported concentration in the education sector. Nottingham University has confirmed being a victim and has had data published on the group's leak site. The attackers reportedly combine older vulnerabilities with alleged zero-day exploits, drop ransom notes on compromised servers, and follow with extortion demands. Oracle has not publicly commented.

AI-generated from linked source reports. See our correction policy.

Impact verdict

Low impact. London Market materiality is rated low. The event centres on a cyber extortion campaign against an enterprise application platform, with one named UK university victim confirmed. The supplied context shows no evidence of a concrete insured loss pathway: no named insured cyber claim, no loss estimate, no market pricing movement, and no systemic outage. Education-sector concentration and the absence of Oracle confirmation of a true zero-day limit near-term insured-severity projection. Severity could escalate if an unpatched zero-day is confirmed by the vendor and the victim footprint broadens into regulated sectors, critical infrastructure, or large enterprises outside education.

View assessment methodology

How we grade what we know -- Known · Reported · Uncertain. Methodology →

Intelligence ledger

Each line expands in place to its underlying sourced claim.

AI refreshed 16 Jun 2026, 06:33

Known15 lines

ShinyHunters confirmed to BleepingComputer they are behind the attacks
structured lineknown
No separate sourced-claim record is available for this line yet.
Claimed 300 instances compromised across 100+ organizations
structured lineknown
No separate sourced-claim record is available for this line yet.
Nottingham University confirmed as victim and data published on leak site
structured lineknown
No separate sourced-claim record is available for this line yet.
IOCs include 7 IP addresses and TLS certificate linked to 'azurenetfiles[.]net'
structured lineknown
No separate sourced-claim record is available for this line yet.
Attack uses 'gadget chain' of old and zero-day vulnerabilities
structured lineknown
No separate sourced-claim record is available for this line yet.
Script drops ransom note 'README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT' on PeopleSoft servers
structured lineknown
No separate sourced-claim record is available for this line yet.
The attack script drops a ransom note named 'README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT' on compromised PeopleSoft servers.
ransom_note_dropped_on_serversattack pattern indicatorCyber
Market relevance: confirms extortion, not encryption-only ransomware; informs coverage triggers
Script drops ransom note 'README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT' on PeopleSoft servers” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Supersession history: 1 prior/revised claim rows.
Indicators of compromise include 7 IP addresses and a TLS certificate linked to 'azurenetfiles[.]net'.
iocs_azure_netfiles_infrastructurethreat intelligence contextCyber
Market relevance: actionable IOCs for insureds and incident response teams
IOCs include 7 IP addresses and TLS certificate linked to 'azurenetfiles[.]net'” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Indicators of compromise include 7 IP addresses and a TLS certificate linked to the domain 'azurenetfiles[.]net'.
iocs_azurenetfilescyber threat landscapevalid from 15 Jun 2026, 19:55Cyber
Market relevance: Provides actionable IOCs for cyber underwriters and incident-response teams; relevant to active risk assessments on PeopleSoft-using insureds.
IOCs include 7 IP addresses and TLS certificate linked to 'azurenetfiles[.]net'” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The University of Nottingham has confirmed being a victim, with data published on the ShinyHunters leak site.
nottingham_university_victim_confirmednamed insured loss indicatorCyber
Market relevance: confirms a UK higher-education victim with published data; informs cyber and education-sector exposure
Nottingham University confirmed as victim and data published on leak site” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
ShinyHunters has confirmed to BleepingComputer that it is behind the Oracle PeopleSoft data theft attacks.
shinyhunters_claim_attributionthreat actor attributionCyber
Market relevance: establishes threat actor identity for cyber-underwriting loss models
Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The University of Nottingham has been confirmed as a victim, with stolen data published on the ShinyHunters leak site.
nottingham_university_confirmed_victimnamed insured exposurevalid from 15 Jun 2026, 19:55Cyber
Market relevance: One publicly named UK higher-education victim with confirmed data exposure; relevant to cyber and education-sector insurance portfolios.
Nottingham University confirmed as victim and data published on leak site” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Event lifecycle is set to 'developing' on the basis of multiple corroborating sources.
lifecycle_developinglifecycle contextCyber
Market relevance: reflects event is in active development; underwriters should monitor for escalation
techcrunch.com · 10 Jun 2026, 22:00 · mainstream media
BleepingComputer · 10 Jun 2026, 18:31 · trade media
This event remains at the signal/lifecycle stage with no evidence of a concrete London Market insured loss pathway.
event_lifecycle_signallifecycle statusvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Lifecycle stage supports low London Market materiality rating pending further corroboration.
BleepingComputer · 10 Jun 2026, 18:31 · trade media
Oracle has not publicly disclosed or commented on the reported attacks.
oracle_no_public_commentvulnerability exposurevalid from 15 Jun 2026, 19:55Cyber
Market relevance: Absence of vendor advisory limits patch availability and could extend the exploitation window for insured estates.
Oracle has not publicly disclosed or commented on the attacks” — BleepingComputer · 10 Jun 2026, 18:31 · trade media

Reported11 lines

Most affected organizations are in education sector
structured linereported
No separate sourced-claim record is available for this line yet.
Attempted to breach FBI portal running PeopleSoft but failed
structured linereported
No separate sourced-claim record is available for this line yet.
Oracle has not publicly disclosed or commented on the attacks
structured linereported
No separate sourced-claim record is available for this line yet.
ShinyHunters reportedly attempted to breach an FBI portal running PeopleSoft but failed.
fbi_portal_attempt_failedcontextCyber
Market relevance: context only; no insured loss pathway indicated
Attempted to breach FBI portal running PeopleSoft but failed” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Supersession history: 1 prior/revised claim rows.
Most affected organizations reportedly sit in the education sector, particularly universities.
education_sector_concentrationsector exposure contextCyber
Market relevance: narrows near-term insured-severity projection to education sector
Most affected organizations are in education sector” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Supersession history: 1 prior/revised claim rows.
The campaign reportedly uses a 'gadget chain' mixing older Oracle PeopleSoft vulnerabilities with an alleged zero-day exploit.
exploit_chain_old_plus_zero_dayvulnerability severity indicatorCyber
Market relevance: if confirmed zero-day, systemic exposure across the PeopleSoft estate rises sharply
Attack uses 'gadget chain' of old and zero-day vulnerabilities” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
ShinyHunters claim the campaign reached 100+ organizations.
shinyhunters_scope_claim_100_orgsaggregate exposure sizingCyber
Market relevance: broadens potential insured population for cyber treaty accumulation
100-plus organizations” — techcrunch.com · 10 Jun 2026, 22:00 · mainstream media
ShinyHunters claim to have stolen data from approximately 300 Oracle PeopleSoft instances.
shinyhunters_scope_claim_300_instancesaggregate exposure sizingCyber
Market relevance: size of claimed attack surface; relevant to aggregate exposure assessment
Cybercriminals claim breach of Oracle PeopleSoft servers at 100-plus organizations” — techcrunch.com · 10 Jun 2026, 22:00 · mainstream media
claims to have stolen data from over 100 organizations” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
ShinyHunters claims responsibility for a data theft campaign against Oracle PeopleSoft servers.
shinyhunters_claims_peoplesoft_campaigncyber threat landscapevalid from 15 Jun 2026, 19:55Cyber
Market relevance: Cyber extortion activity targeting widely deployed enterprise application; relevant to cyber insurers with education-sector and large-enterprise exposures.
Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
ShinyHunters claims to have compromised approximately 300 Oracle PeopleSoft instances.
claimed_instance_count_300cyber threat landscapevalid from 15 Jun 2026, 19:55Cyber
Market relevance: Scale of claimed compromise if validated would materially raise cyber extortion severity in education sector.
claims to have stolen data from over 100 organizations” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
ShinyHunters claims the campaign has impacted more than 100 organizations.
claimed_organization_count_100_pluscyber threat landscapevalid from 15 Jun 2026, 19:55Cyber
Market relevance: If validated, breadth of victim organizations increases aggregate exposure in education and other sectors using PeopleSoft.
claims to have stolen data from over 100 organizations” — BleepingComputer · 10 Jun 2026, 18:31 · trade media

Uncertain12 lines

Whether a true Oracle PeopleSoft zero-day is being exploited (Oracle has not confirmed)
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Total number of confirmed victims vs claims by threat actor
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Scope of data stolen from each compromised instance
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Whether non-education sector organizations are also affected
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Whether a true Oracle PeopleSoft zero-day is being exploited is unconfirmed; Oracle has not publicly disclosed or commented.
zero_day_unconfirmed_by_oraclevulnerability severity indicatorCyber
Market relevance: vendor confirmation of a true zero-day would materially raise cyber market concern
Oracle has not publicly disclosed or commented on the attacks” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The total number of confirmed victims is uncertain and cannot be reconciled with the threat actor's claim of 100+ organizations.
confirmed_victim_count_uncertainuncertainty flagCyber
Market relevance: limits near-term insured-severity projection
Total number of confirmed victims vs claims by threat actor” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
Whether non-education organizations are also affected is not publicly established.
non_education_victims_uncertainsector exposure contextCyber
Market relevance: broadening beyond education would expand cyber accumulation potential
Whether non-education sector organizations are also affected” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The scope of data stolen from each compromised instance is not publicly known.
scope_stolen_data_uncertainuncertainty flagCyber
Market relevance: per-record notification and regulatory cost cannot yet be sized
Scope of data stolen from each compromised instance” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
It is uncertain whether non-education sector organizations are also affected by the campaign.
non_education_exposure_uncertainuncertainty caveatvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Determines whether cyber exposure broadens beyond education into corporate, public-sector, and financial services books.
Whether non-education sector organizations are also affected” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The attackers are reported to use a 'gadget chain' combining older vulnerabilities and an alleged zero-day against Oracle PeopleSoft; Oracle has not confirmed a zero-day.
exploit_chain_includes_zero_dayvulnerability exposurevalid from 15 Jun 2026, 19:55Cyber
Market relevance: If an unpatched zero-day is confirmed, severity for unpatched PeopleSoft estates rises sharply across all sectors.
Attack uses 'gadget chain' of old and zero-day vulnerabilities” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The scope of data stolen from each compromised PeopleSoft instance is not yet publicly established.
scope_of_stolen_data_uncertainuncertainty caveatvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Without data scope, severity bands (notification, regulatory, ransomware escalation) cannot be reliably assigned.
Scope of data stolen from each compromised instance” — BleepingComputer · 10 Jun 2026, 18:31 · trade media
The total number of independently confirmed victims remains well below the figures claimed by the threat actor.
confirmed_vs_claimed_victims_gapuncertainty caveatvalid from 15 Jun 2026, 19:55Cyber
Market relevance: Gap between threat-actor claims and confirmed victims materially affects severity calibration for cyber insurers.
Total number of confirmed victims vs claims by threat actor” — BleepingComputer · 10 Jun 2026, 18:31 · trade media

Geographic Zone Matches

3 active matches

  • TRIA Certified Areas
    Rule-basedConfidence 100%
  • Pacific Ring of Fire
    Rule-basedConfidence 100%
  • Caribbean Hurricane Zone
    Rule-basedConfidence 100%

Geographic zone matches are RiskEvents spatial/analytical indicators, not coverage determinations or Lloyd's official classifications.

Affected countries

🇬🇧 United Kingdom🇺🇸 United States

Latest developments

  • ShinyHunters confirmed to trade media that it is conducting the Oracle PeopleSoft extortion campaign. BleepingComputer
  • Threat actor claims approximately 300 PeopleSoft instances compromised; not independently verified. BleepingComputer
  • Threat actor claims 100+ organizations affected; not independently verified. techcrunch.com
  • The University of Nottingham has confirmed being a victim and has had data published on the leak site. BleepingComputer
  • Reporting indicates a majority of victims are in the education sector. BleepingComputer
  • Attackers reportedly combine older PeopleSoft vulnerabilities with an alleged zero-day exploit. BleepingComputer
  • Oracle has not publicly confirmed a zero-day; the claim remains unverified. BleepingComputer
  • Affected servers display a ransom note file consistent with extortion activity. BleepingComputer

Timeline

Intelligence Refresh16 Jun 2026, 06:33
Status Change16 Jun 2026, 02:12

Status changed to developing

evidence_trigger: corroboration >= 2

signal -> developing

Corroboration16 Jun 2026, 02:12

A cybercriminal group claims to have breached Oracle PeopleSoft servers at over 100 organizations, primarily universities and educational institutions. The claim, if validated, represents a large-scale supply chain or enterprise application compromise with significant data breach and potential ransom implications across multiple insured entities.

Source: techcrunch.com (Mainstream Media) · View source

Intelligence Refresh15 Jun 2026, 19:58
Initial Detection15 Jun 2026, 19:55

Initial Detection

ShinyHunters is conducting widespread data theft attacks against Oracle PeopleSoft servers, claiming to have compromised 300 instances across 100+ organizations, primarily in education. The attacks exploit old and zero-day vulnerabilities and are followed by extortion demands. Nottingham University has confirmed being a victim with data already published on the group's leak site.

Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from over 100 organizations.

Source: BleepingComputer (Trade Media) · View source

Lloyd's classifications

Tracking this kind of risk? Get an email when Cyber events escalate.

Get alerts
← Back to live events