CareerConnect secured and safe to use following data security incident

Security incident 

On Thursday 28 May 2026, the third party provider of CareerConnect, GTI, informed the University the platform had been accessed by an unauthorised third party that was able to access users' first name, last name, e-mail addresses and, for users who do not sign in using Single Sign-On (SSO), encrypted passwords. 

GTI has confirmed that the security vulnerability has been fixed and additional security measures have been put in place.  

Student accounts 

Students use their SSO to sign in to CareerConnect which means their passwords are not affected. Only names and e-mail addresses would have been acquired in the breach.  

Alumni, research staff and employer accounts 

Alumni, research staff and employer users access CareerConnect with a password set locally on CareerConnect. These passwords were invalidated by GTI and users will be asked to reset their password next time they sign in.  

There is no evidence that course information, uploaded files, appointment information, or financial information were involved in this incident. GTI has stated this breach appeared to be focused on gathering credentials which may lead to phishing attempts. 

Phishing advice 

Due to the risk of phishing as result of this incident, all staff, students and external users of CareerConnect should continue to: 

• Stay alert to any suspicious emails or messages which may appear to come from trusted organisations including the University, GTI or CareerConnect, or which may attempt to threaten or coerce. 

• Verify requests for personal or financial information independently. 

• Report any suspicious or concerning emails or messages to the Information Security team at phishing@infosec.ox.ac.uk and follow the published guidance on reporting an incident. 

• Ensure that software is up to date and anti-virus is installed on all work devices (including mobile devices). 

The University will never ask for a password by email or message.

Students and staff may find the following resources useful: accessing free software (including anti-virus), protecting your computer and keeping mobile devices secure. The University’s online training course offers further information and advice about information security and data protection at Oxford.  

Please note 

• These incidents relate to a third-party system; there is no evidence of a compromise to University systems. 

• There is currently nothing to suggest that students’ passwords or financial information are affected. 

• The University is working closely with GTI and continuing to assess the impact. 

• The main precaution at this stage is to remain alert to phishing or scam emails and to ensure devices used for work or study are appropriately protected. 

• Affected users will be contacted directly if any further action becomes necessary.  

Further updates 

The University continues to work closely with GTI. Further updates will be made available on this page if the situation develops.