Lancaster University has confirmed that it was “subject to a sophisticated and malicious phishing attack” which resulted in breaches of student and applicant data.
This has led to undergraduate student applicant data records for 2019 and 2020 being accessed, including names, addresses, telephone numbers and email addresses. Lancaster confirmed in its statement that it was “aware that fraudulent invoices” were being sent to some undergraduate applicants and has warned applicants to be aware of any suspicious approaches.
Also breached was Lancaster’s student records system. “At the present time we know of a very small number of students who have had their record and ID documents accessed,” it confirmed.
Its statement said that it “acted as soon as we became aware that Lancaster was the source of the breach on Friday” and immediately reported the issue to the Information Commissioner’s Office.
“Since Friday we have focused on safeguarding our IT systems and identifying and advising students and applicants who have been affected,” it said.
A spokesperson for the Information Commissioner’s Office said that the incident had been reported to them, and it was currently assessing the information provided.
The news follows the announcement that over 60 US colleges had been compromised after hackers exploited a vulnerability in popular ERP software.
Ed Macnair, CEO of Censornet, said that this proves how targeted cyber-criminals are becoming in their hacking methods, and how any and all sectors are now at constant risk. “The attack happened through the ever persisting phishing method,” he said. “This kind of data allows criminals to carry out attacks like credential stuffing, where hackers attempt to log in to a number of an individual's accounts with the intent to access card details that have been linked to certain accounts.
“This attack highlights how absolutely any organization is now vulnerable to being hacked, so more vigilance, education, and sophisticated protection is required.”
UPDATE: The National Crime Agency confirmed that a 25 year old man was arrested on Monday under the Computer Misuse Act.