Oxford University has disclosed a third-party data breach stemming from a security vulnerability affecting its Group GTI-managed career support platform CareerConnect.
Ranked first globally for ten consecutive years since 2017 in the Times Higher Education (THE) World University Rankings, Oxford contributes approximately $22.6 billion (£16.9B) to the U.K. economy and supports more than 90,400 permanent jobs.
The University has more than 26,000 students, including 12,460 undergraduates and 13,755 postgraduates across its 43 autonomous colleges.
Oxford’s third-party data breach leaks personal information
On June 1, 2026, Oxford said it was notified of a security breach affecting its careers services platform, resulting in unauthorized access to the personal information of students, alumni, researchers, and recruiters.
The May 28 third-party data breach leaked first and last names, email addresses, and encrypted passwords for users who did not use single sign-on (SSO) to log in to the career portal.
“Students use their SSO to sign in to CareerConnect which means their passwords are not affected. Only names and e-mail addresses would have been acquired in the breach,” Oxford stated.
Additionally, the third-party data breach did not leak course information, uploaded files, appointment information, or financial information. Similarly, the attackers did not gain access to Oxford’s internal systems, as the breach was confined to a third-party career platform. So far, Oxford has not disclosed the number of impacted individuals.
According to Group GTI, the attackers’ objective was credential harvesting, which could potentially lead to phishing attacks.
“The main precaution at this stage is to remain alert to phishing or scam emails and to ensure devices used for work or study are appropriately protected,” Oxford advised.
Subsequently, victims should be on the lookout for unsolicited communication from individuals purporting to represent Oxford or CareerConnect. They should also independently verify any information and closely monitor their accounts for suspicious activity.
Impacted users should also be aware that Oxford does not request sensitive information, such as credit card numbers or account passwords, via email or text.
“Attackers no longer need to compromise a university’s core network to create real harm,” said Michael Centrella, Head of Public Policy at SecurityScorecard. “Since CareerConnect is used for internships, careers, events, and employer or recruiter activity, exposed names and email addresses can help attackers craft more convincing phishing attempts. A fake employer message or fraudulent job opportunity is much harder to spot when it appears connected to a platform students and alumni already recognize.”
Group GTI fixes CareerConnect security vulnerability
Group GTI says it has successfully fixed the security vulnerability and implemented additional security measures to protect personal information from further unauthorized access.
“GTI has confirmed that the security vulnerability has been fixed and additional security measures have been put in place,” Oxford stated.
Oxford also reset user passwords out of an abundance of caution, and affected users will be required to create new passwords on their next login. The password reset will affect only alumni, research staff, and employer accounts that use locally set passwords.
So far, no cybercrime gang has claimed responsibility for the Oxford third-party data breach, and Group GTI has not disclosed receiving ransom demands. Similarly, the third-party data breach did not disrupt operations, thus ruling out a ransomware attack.
This is the second third-party data breach to affect Oxford University in 2026. In May, Oxford was among the schools and universities affected by the third-party data breach affecting the Instructure-managed learning management system (LMS) Canvas. The attack claimed by ShinyHunters affected over 8,809 academic institutions and platforms, leaked approximately 280 million records, and disrupted learning activities.
