Oxford University Suffers Second Data Breach Via Career Platform
Oxford University's CareerConnect platform, managed by Group GTI, experienced a data breach exposing student and alumni names and email addresses, alongside encrypted passwords for non-SSO users.
Oxford University is once again grappling with a data breach, this time affecting its CareerConnect platform, a service provided by Group GTI that assists students and alumni with career opportunities. The intrusion, which occurred on May 28, exposed the full names and email addresses of users. Additionally, individuals who did not utilize single sign-on (SSO) had their encrypted passwords compromised.
CareerConnect serves a broad audience within the university, including students, alumni, research staff, and recruiters. The platform, marketed by GTI as TargetConnect, is also utilized by other educational institutions globally. Oxford University stated that the security vulnerability enabling the breach has since been rectified, though GTI has not publicly detailed the specific flaw or confirmed the number of affected individuals.
While GTI has not explicitly stated which user groups were impacted, Oxford's advisory indicated that alumni, research staff, and employer users had their passwords forcibly reset. The university emphasized that no course information, uploaded files, appointment details, or financial data were involved in this incident. GTI suggested the attackers' primary objective was to acquire credentials for potential phishing campaigns.
This incident marks the second external platform breach affecting Oxford University in recent months. Previously, the university was among the approximately 8,800 educational institutions impacted by a significant breach at Instructure's Canvas learning management system. That earlier attack, attributed to the ShinyHunters group, exposed sensitive data for up to 275 million students, teachers, and staff worldwide.
The Canvas breach, which coincided with exam periods for many students, led to disruptions in access to learning materials, tests, and grades. Instructure reported reaching an agreement with ShinyHunters to prevent the public release of the stolen data, claiming to have received confirmation of data destruction.
While the CareerConnect breach is distinct from the Canvas incident, it highlights a recurring vulnerability in third-party service providers used by educational institutions. The exposure of personal data and credentials, even if encrypted, poses a significant risk of phishing and identity theft for affected users.
The university's announcement to students and staff aims to inform them of the potential risks and necessary precautions. The focus on credential harvesting by the attackers underscores the ongoing threat of account takeovers and subsequent malicious activities targeting individuals within academic communities.
This latest incident serves as a stark reminder for educational institutions to rigorously vet the security practices of their third-party vendors and to ensure robust data protection measures are in place across all platforms that handle sensitive student and staff information.