Oxford University has disclosed an Oxford CareerConnect data breach after its third-party provider, Group GTI, confirmed that the CareerConnect careers platform had been compromised on 28 May. Attackers gained access to users’ first names, last names, email addresses and encrypted passwords, at least for those accounts not protected by Single Sign-On (SSO).
The breach is limited to GTI’s own systems. Oxford has stated there is no evidence that university systems themselves were affected, and both GTI and the university say they have found no indication that students’ passwords or financial information were accessed. Course information, uploaded files, appointment data and financial records were also reported as uninvolved in the incident.
What the Oxford CareerConnect Data Breach Exposed
GTI responded by invalidating the passwords of affected accounts. Alumni, research staff and employer users who log in with a locally set CareerConnect password will be prompted to create a new one the next time they sign in. SSO users, who authenticate through their institution rather than a standalone password, were not subject to the same credential exposure.
Oxford’s statement noted that GTI believes the attack ‘appeared to be focused on gathering credentials which may lead to phishing attempts.’ The university has consequently warned staff, students and external CareerConnect users to be alert to phishing and scam emails in the coming weeks.
CareerConnect is not an Oxford-only platform. King’s College London and the University of Manchester are among the other UK educational organisations that use the same GTI platform to run their own institution-branded career hubs, meaning the incident’s reach potentially extends well beyond Oxford’s own user base.
A Second Breach in as Many Months for Oxford
This is not Oxford’s first data breach disclosure of the year. In early May, the ShinyHunters extortion gang breached Instructure’s Canvas learning management system, which Oxford uses alongside thousands of other institutions. The hackers claimed to have stolen 280 million records tied to students and staff from 8,809 colleges, school districts and online education platforms worldwide.
Instructure subsequently reached an agreement with the cybercrime group, under which the hackers reportedly returned the stolen data and provided shred logs confirming its destruction. Oxford confirmed it was among the affected institutions, though it added that its own systems had not been compromised. The data exposed in that incident was limited to usernames, Canvas email addresses, messages exchanged between users on the platform, course names and course enrolment information.
Two disclosed breaches within the same calendar year, both involving third-party platforms rather than Oxford’s core infrastructure, underline a pattern that universities are increasingly familiar with: the attack surface is only as narrow as the weakest vendor in the supply chain. Oxford’s own systems have, on both occasions, been reported as unaffected, but that distinction offers limited comfort to alumni, staff or students whose credentials are now in circulation.
Oxford CareerConnect Breach: What Users Should Do Now
For anyone with a CareerConnect account that uses a locally set password, the practical step is straightforward: expect a password reset prompt on next login, and treat any unexpected email purporting to come from Oxford, GTI or CareerConnect with scepticism. The university’s warning about phishing is consistent with GTI’s own assessment that credential harvesting was the likely motive.
An Oxford University spokesperson was not immediately available for comment when contacted by BleepingComputer. GTI has not made a separate public statement beyond what Oxford has disclosed.
