The week in cyber — 8 to 12 June 2026

Oracle PeopleSoft zero-day hits UK universities, Qilin ransomware exploits Check Point VPNs, Microsoft patches a wormable kernel flaw, and two regulatory deadlines land within days of each other.

Five things from the past working week that a UK board should be aware of, in the order they would matter if you had to brief a chair over coffee on Monday morning. I have left out the noise. Where I have included something, it is because there is a decision attached to it.

1. ShinyHunters took 40 GB from the University of Nottingham using an Oracle zero-day

On 9 June, the data extortion group ShinyHunters posted a sample of stolen University of Nottingham data and threatened to publish the rest unless a ransom was paid. The university confirmed a breach affecting current students, alumni, and staff across its England, Malaysia, and China campuses — 455,000 unique email addresses and associated names, addresses, phone numbers, passport numbers, ethnic backgrounds, disability status, and finance records. Over 40 GB of data is alleged to have been exfiltrated.

The technical route matters. The Register reported on 11 June that ShinyHunters has been exploiting a critical Oracle PeopleSoft zero-day — unpatched at the time of writing — to compromise more than 100 organisations globally. PeopleSoft is widely used across UK higher education and local government for student records, HR, and finance. The university said it is working with Action Fraud, the ICO, and government bodies. IT Pro is maintaining a running summary of confirmed facts.

For boards. If your organisation — or a supplier — runs Oracle PeopleSoft, the question this week is whether it is internet-exposed and whether compensating controls are in place while a patch is awaited. Universities are high-profile victims, but PeopleSoft sits in NHS trusts, councils, and large employers. Passport numbers and disability status in a single breach create substantial downstream liability.

2. A Qilin affiliate is walking through unpatched Check Point VPNs

On 8 June, Help Net Security reported that the Qilin ransomware-as-a-service operation has been exploiting CVE-2026-50751, an authentication bypass (CVSS 9.3) in Check Point Remote Access VPN and Mobile Access that uses the deprecated IKEv1 protocol path. An attacker who presents a specially crafted certificate can connect to the VPN without a valid password. Observed exploitation dates back to 7 May; the volume increased sharply in early June. NHS England Digital issued a cyber alert to affected NHS organisations, which is a reasonable proxy for the footprint of Check Point appliances across UK critical sectors.

Check Point has published a hotfix and three mitigations: applying the hotfix, disabling support for legacy Remote Access clients, or disabling IKEv1 entirely. Rapid7's analysis confirms exploitation is still targeted rather than mass-spray, but that assessment will change once commodity actors pick up the technique.

For boards. This is a VPN-in, ransomware-out scenario with an NHS alert already attached. The question is not whether to patch but when patching will be confirmed complete. If your security team cannot answer that by close of play Monday, there is a process gap worth examining.

3. Microsoft's June Patch Tuesday set an all-time record and includes a WannaCry-class kernel flaw

On 10 June, Microsoft released patches for 208 CVEs — the largest single Patch Tuesday release on record. The headline vulnerability is CVE-2026-45657, a use-after-free in the Windows Kernel TCP/IP stack with a CVSS score of 9.8. It requires no authentication and no user interaction: an attacker sends crafted packets across a network and achieves SYSTEM privilege. Researchers have confirmed it is wormable in profile — structurally similar to EternalBlue, which was the engine behind WannaCry. Microsoft currently rates exploitation as "Less Likely", meaning no public exploit code has been confirmed yet.

Also patched this cycle was CVE-2026-47281 ("RoguePlanet"), a Windows Defender privilege escalation at CVSS 9.6 that has been confirmed actively exploited in the wild. Six zero-days were addressed in total.

For boards. The WannaCry comparison will surface in the press before Monday. The honest board question is: what is our patch deployment SLA for critical updates, and does it apply at weekends. If enterprise patch management runs on a monthly cycle, CVE-2026-45657 is the case study for why that cadence carries risk.

4. The Cyber Security and Resilience Bill cleared its final Commons stage

On 10 June, the Cyber Security and Resilience (Network and Information Systems) Bill completed report stage and third reading in the House of Commons and now passes to the House of Lords. Introduced in November 2025 and progressed through committee from February to May 2026, the Bill substantially expands the scope of the original NIS Regulations: more sectors come in, regulators gain stronger enforcement powers, and government acquires new emergency powers to amend the framework by statutory instrument in response to imminent threats. The Commons Library briefing notes Royal Assent is expected in 2026, with phased implementation potentially running to 2028.

For boards. If your organisation operates in managed services, data centres, digital infrastructure, or as a supply-chain provider to regulated entities, the question is whether your legal team has begun a gap analysis against the expanded scope. Waiting for Royal Assent to start that work is a pattern that consistently produces rushed compliance. The core obligations are visible now.

5. One week to the Data (Use and Access) Act's complaints deadline

From 19 June 2026 — next Thursday — the Data (Use and Access) Act 2025 imposes a statutory duty on data controllers to maintain a documented complaints-handling process for data protection complaints. Under the new rules, organisations must accept complaints regardless of channel — including via social media — acknowledge them within 30 days, and respond without undue delay. There are no exemptions. The ICO has published guidance and has made clear it will treat the absence of a process as a compliance failure, not an administrative oversight.

This is not a large operational lift for organisations with mature GDPR processes. For those that have relied on informal practice, the requirement to document and evidence the process is new.

For boards. The compliance date is Thursday. If no one has briefed you on whether your organisation has a compliant process in place, that gap is worth closing this weekend.

The thread that ties this together

Three of this week's five stories involve known vulnerabilities being actively exploited before most organisations have patched them: the Oracle PeopleSoft zero-day with no patch yet available, the Check Point VPN flaw with a hotfix available since early June, and a fresh Microsoft kernel vulnerability that researchers are already calling wormable. The common factor is not sophisticated tradecraft — it is the lag between disclosure and verified remediation.

The question to take into next week: when your security team tells you a critical patch has been applied, what evidence does that claim rest on, and how long does it take from release to confirmed deployment across every system in scope?