University of Birmingham was one of at least 10 targeted by hackers in a ransomware attack last month.
An investigation is now under way to find out the full extent of the leak, but it is believed confidential information names, dates of birth, addresses, phone numbers and email addresses were stolen.
Law firm Simpson Millar said it had been contacted by hundreds of people from institutions connected to the cloud computing provider, which was hacked, concerned that their details may have been lost.
Robert Godfrey, head of professional negligence at Simpson Millar solicitors, said anyone affected by the breach could have a valid claim for damages against the University of Birmingham.
The university said it was not currently aware of any claims against it.
Mr Godfrey said: “We have had members of the universities contact us who are quite rightly very concerned.
"We are actively investigating potential claims on behalf of people directly affected by this serious breach. This is a clear violation of GDPR and data protection rules.
“I am confident any person whose details have been accessed could have a valid claim.
"It is clear there has been of breach of individuals’ right to privacy and the universities are ultimately responsible.
"There is a clear entitlement to compensation for any upset, injury and cost of support and disruption to their lives.
“The universities have a very clear duty of care to ensure that the members of their sites, who hand over their confidential information to them have their data secure and protected, are not exposed such as has happened in this breach.”
The ransomware attack targeted Blackbaud, which serves non-profits, foundations, corporations, education institutions and healthcare organisations.
There have been a number of high-profile ransomware attacks, in which hackers steal personal data and threaten to publish it, in recent years including on the NHS.
Other universities affected include York, South Wales, Cumbria, Leeds, Newcastle, Reading, Surrey and Kings College London.
A University of Birmingham spokesman said: "We are not currently aware of any claims resulting from the Blackbaud ransomware attack but would address any claims via the appropriate legal channels."