Personal student data has been stolen in a data breach at Lancaster University.

The “sophisticated and malicious” cyber-attack was discovered last Friday and an incident team was set up to deal with it.

The phishing attack gathered information including records and ID documents and officials at the University said that fraudulent invoices were sent to undergraduate applicants.

Phishing involves attempts to trick web users into handing over sensitive information.

It’s thought that as many as 12,500 applicants details were leaked during the data breach.

Ironically, the university offers a Master’s course in security, which is endorsed by GCHQ.

Email

Stolen data included names, addresses, phone numbers and emails, linked to students who had applied to join the university in 2019 and 2020.

A university spokesman said: “Lancaster University has been subject to a sophisticated and malicious phishing attack which has resulted in breaches of student and applicant data.

The matter has been reported to law enforcement agencies and we are now working closely with them.”

The student records system was also breached in the attack.

The university also revealed that they were contacting  a “very small number” of students who have had record and ID documents accessed.

The spokesman added: “Since Friday we have focused on safeguarding our IT systems and identifying and advising students and applicants who have been affected. This work of our incident team is ongoing, as is the investigation by law enforcement agencies.”

NCA

The National Crime Agency (NCA) told the BBC that the university had suffered a “compromise of its systems“.

A spokesman said: “A criminal investigation led by the NCA’s National Cyber Crime Unit is now under way, and it would not be appropriate to comment further at this stage.”

Lawyer Helen Davenport, who advises clients on cyber security, also told the BBC that it was “essential” sectors such as higher education took cyber-security risks “seriously” and put training and software in place to “proactively shield against future attacks“.

She said “all eyes” would now be on how the attack had impacted students’ data and how the university intended “to guard against something likely to be attempted again”.

Failure to do so “could affect the attractiveness of the university to future candidates“, she added.

ICO

The organisation also reported the incident to the Information Commissioner’s Office (ICO), which confirmed it is assessing the information the university has provided.

Ed Macnair, CEO of cyber security firm Censornet told IT Pro that the news shows just how targeted cybercriminals are becoming in their methods, and how any and all sectors are now at constant risk.

This kind of data allows criminals to carry out attacks like credential stuffing, where hackers attempt to log in to a number of an individual’s accounts with the intent to access card details that have been linked to certain accounts,” he said.

Affected students should immediately change their passwords and ensure that they have unique passwords for each account they own. This attack highlights how absolutely any organisation is now vulnerable to being hacked, so more vigilance, education, and sophisticated protection is required.”