This week has been a busy one for cybersecurity incidents.
Microsoft released the largest Patch Tuesday in history, with 206 vulnerabilities, three zero-days, and patches that every Windows-running organisation needs to apply now.
The ShinyHunters extortion group has confirmed it breached the University of Nottingham, exposing data on 455,000 students and alumni, including passport numbers, disability information, and payment records, and the same group has hit over 100 organisations worldwide using an Oracle zero-day that was only patched this week.
Pharmaceutical giant Novo Nordisk disclosed that hackers stole clinical trial participant data, including health and biomarker information, and healthcare partners were warned to expect targeted phishing.
ServiceNow confirmed that attackers accessed sensitive customer data through an unauthenticated API endpoint that the company had known about internally since April.
UK schools are under sustained attack. Great Marlow School in Buckinghamshire was forced to close for two days, and 13 schools across Powys in Wales were also hit.
Ivanti Sentry has been awarded a CVSS score of 10.0, the maximum for a flaw that allows unauthenticated attackers to take full control of the gateway. Full details and recommended actions for each are below.
Microsoft released its June 2026 Patch Tuesday update on 10 June, fixing 206 security vulnerabilities across Windows, Office, Azure, and other products. This is the largest Patch Tuesday in the history of the programme, which Microsoft has been running since 2003. Of the 206 flaws, 33 are rated critical. The update also fixes three publicly disclosed zero-days. CVE-2026-49160 is a flaw in the HTTP/2 protocol stack that allows a remote attacker to crash a Windows server by sending specially crafted requests over the internet. CVE-2026-45586 allows a local attacker to elevate their privileges to SYSTEM level by abusing a component called CTFMON. CVE-2026-50507 is a BitLocker bypass that could allow someone with physical access to a device to unlock an encrypted drive without the correct credentials. None of the three zero-days are known to have been exploited in attacks yet, but all three have been publicly disclosed, meaning attackers are aware of them.
Every organisation running Windows is affected by this update. For NHS trusts, NHS suppliers, and digital health companies, the most important flaws to address are those rated critical — particularly CVE-2026-49160, which affects any Windows server that handles web traffic. A successful exploit could take that server offline. CVE-2026-45586 is relevant wherever attackers may already have limited access to a machine, including compromised workstations. CVE-2026-50507 matters in any environment where staff use laptops away from the office, as physical access to a device in a public place could be enough to bypass encryption. With over 200 vulnerabilities addressed in a single update, the risk of leaving this month's patches unapplied is higher than usual.
Recommendations:
The ShinyHunters extortion group has confirmed it breached the University of Nottingham, stealing around 40 GB of data from the institution's student record system. Breach notification service Have I Been Pwned confirmed approximately 455,000 university-related email addresses were included in the leaked dataset, along with names, addresses, phone numbers, ethnicities, disabilities, passport numbers, and financial information relating to student fees. The university has reported the incident to Action Fraud and the ICO, and said both current students and alumni are affected. The same group has simultaneously claimed to have breached more than 100 organisations worldwide by exploiting a critical zero-day vulnerability in Oracle PeopleSoft, tracked as CVE-2026-35273 and rated 9.8 out of 10. The flaw allows unauthenticated attackers to run commands on a server with no login credentials required. Oracle issued an emergency patch on 10 June 2026. CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue on 12 June 2026.
The University of Nottingham is one of the UK's leading research universities with close ties to the NHS and the life sciences sector. The scale of the data exposed, passport numbers, disability records, ethnicity, and payment details, means affected individuals face a significant risk of targeted phishing and identity fraud. With 100 or more organisations compromised in the same campaign, UK universities and NHS research partners running Oracle PeopleSoft should assume they are at risk until they can confirm otherwise. ShinyHunters operates on an extortion model; they publish the stolen data publicly unless a ransom is paid, which means the data is already partially in the open. DSPT-registered organisations that share data with affected institutions need to consider their own reporting obligations.
Recommendations:
Pharmaceutical giant Novo Nordisk, the maker of Wegovy and Ozempic, has confirmed that hackers stole data relating to clinical trial participants as part of a cyberattack. The company said a limited number of internal IT systems were affected, and some have been taken offline as a precaution. The stolen data includes patient IDs, trial participation information, gender, year of birth, biomarkers, health and immunogenicity data, and lifestyle factors such as smoking status, alcohol use, and BMI. Novo Nordisk said the data was pseudonymised and not directly linked to patients by name. However, the company separately warned its healthcare partners that their personal information may also have been stolen, including names, registration numbers, email addresses, phone numbers, and WhatsApp details. Affected healthcare partners have been told to expect targeted phishing attempts via email, phone, and WhatsApp from attackers potentially impersonating Novo Nordisk colleagues.
Novo Nordisk is a key partner in NHS diabetes and obesity treatment programmes, and clinical trial data, even when pseudonymised, is sensitive. Re-identification is possible when additional data is available, and the individuals involved consented to share their health information for research purposes only. The warning to healthcare partners is particularly relevant for UK GP practices, hospital trusts, and NHS-connected researchers who may be listed in Novo Nordisk's partner records. They should now be on alert for convincing phishing attempts that appear to come from Novo Nordisk representatives, including via WhatsApp, an unusual and targeted vector. This incident is also a reminder that pharmaceutical and life sciences suppliers carry significant data risk that should be reflected in your supplier assurance programme.
Recommendations:
ServiceNow has confirmed that attackers exploited a flaw in one of its API endpoints to access data from a subset of customer instances. The flaw allowed unauthenticated users, people with no account or login, to send requests to the endpoint and query tables of customer data. Information that may have been accessed includes IT support tickets, employee records, asset inventories, and security incident reports. The malicious activity began on 2 June 2026. ServiceNow's own teams had been aware of a similar issue internally since 7 April 2026, but classified it as non-urgent and planned to address it in a future update. After customers' bug bounty submissions raised the alarm on 3–4 June 2026, ServiceNow applied a patch on 5 June 2026. The flaw does not yet have a CVE identifier. This is the third significant authentication-related vulnerability in ServiceNow within eight months.
ServiceNow is widely used across NHS trusts, NHS suppliers, and corporate healthcare environments to manage IT support tickets, incidents, and service requests, all of which can contain references to staff details, system configurations, and operational information. The fact that this vulnerability was known internally for two months before a patch was applied raises legitimate concerns about how the company handles supply chain risk. Organisations using ServiceNow should confirm whether they were among the affected customers and review what data may have been exposed.
Recommendations:
Great Marlow School in Buckinghamshire entered its second consecutive day of closure on 11 June 2026 after a suspected malware attack forced it to restrict access to its network. Only students sitting GCSE and A-level exams were permitted on site, with all other pupils sent home and unable to access schoolwork remotely. The school is responding in line with guidance from the Department for Education and the National Cyber Security Centre, and has engaged specialist cybersecurity professionals. It has not been confirmed whether ransomware was involved or whether any data was stolen. The closure comes the same week that Powys County Council in Wales confirmed a cyberattack affecting 13 schools across the county. The Powys attack was originally identified in April 2026, and sensitive data belonging to students and school staff is suspected to have been compromised.
UK schools hold large volumes of personal data, including information about children, medical needs, special educational needs, family circumstances, and safeguarding records. They are often under-resourced in terms of cybersecurity, making them attractive targets. Many schools also hold data under data-sharing arrangements with NHS trusts and local authority social care teams, meaning a school breach can have knock-on implications for health data. The timing during exam season is particularly damaging, and the pattern of incidents this week, Great Marlow, Powys, Nottingham, and an Illinois high school, signals that the education sector is under coordinated pressure. Public sector organisations of all sizes should treat this as a prompt to review their own resilience.
Recommendations:
Ivanti has patched two critical vulnerabilities in Ivanti Sentry, an enterprise gateway product used to manage and secure access to backend systems, including Microsoft Exchange and ActiveSync. The most severe is CVE-2026-10520, which has received the maximum possible severity score of 10.0 out of 10. This flaw allows an attacker with no credentials to run commands on the Sentry server with full operating system privileges, giving them complete control of the device. The second flaw allows an unauthenticated attacker to create a new administrator account on the system, meaning attackers can establish persistent access even after a patch is applied, unless those accounts are found and removed. CISA added CVE-2026-10520 to its Known Exploited Vulnerabilities catalogue following confirmed exploitation attempts. Patches were released on 10 June 2026.
Ivanti products have a well-documented history of serious vulnerabilities being exploited rapidly, including in healthcare environments. Ivanti Sentry acts as a gateway between mobile devices and internal systems, so a compromise gives an attacker access to internal email, calendar, and corporate data. For NHS suppliers and health technology organisations, a compromised Sentry gateway could be a route into systems handling patient or staff data. The ability to create administrator accounts makes this flaw particularly dangerous: even after patching, organisations need to audit accounts for signs of a pre-existing foothold.
Recommendations:
Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services and find out how we support UK digital health organisations, healthtechs, and NHS suppliers with practical, hands-on cybersecurity assurance.