Cyber attack on Lancaster University results in National Crime Agency investigation

Lancaster University has been subject to a sophisticated and malicious phishing attack which has resulted in breaches of student and applicant data. The matter has been reported to law enforcement agencies and staff at the renowned seat of learning are now working closely with them. 

Lancaster University officials are aware of two breaches of data. First, undergraduate student applicant data records for 2019 and 2020 entry have been accessed. This includes information such as individual names, addresses, telephone numbers and e-mail addresses. Apparently, fraudulent invoices have been sent to some undergraduate applicants. Applicants have been alerted to be aware of any suspicious approaches.

Second, a breach has also occurred involving the student records system. At the present time, officials know of “a very small number” of students who have had their record and ID documents accessed. University staff are in the process of contacting those students to advise them what to do.

A statement on the University of Lancaster’s website reads: “We acted as soon as we became aware that Lancaster was the source of the breach on Friday 19 July and established an incident team to handle the situation. It was immediately reported to the Information Commissioner’s Office. Since Friday, we’ve focused on safeguarding our IT systems and identifying and advising students and applicants who have been affected. This work of our incident team is ongoing as is the investigation by law enforcement agencies.”

In relation to this incident, a 25-year old male from Bradford was arrested on Monday by officers from the National Crime Agency’s National Cyber Crime Unit on suspicion of committing Computer Misuse Act and fraud offences.  The man has since been released under investigation while enquiries are ongoing.

Increasingly sophisticated attacks 

Tim Galligan, general manager for the EMEA at SailPoint, commented: “The phishing attack on Lancaster University goes to show that nothing and no-one is completely safe from hackers. Phishing attacks have become increasingly sophisticated in the past few years, helping criminals to impersonate legitimate organisations with eerie accuracy and believable details. As a result, no organisation should be asking if they will be breached, but more likely when.”

Galligan continued: “The premise of phishing depends on accessing the right data to build a believable trap that human users can fall into. Therefore, it’s more important than ever to ensure that the organisations we trust with that information are taking appropriate measures to protect it. People are the most vulnerable attack vector, which is why phishing attacks have remained so popular and become even more sophisticated as everyone now relies on digital platforms for communication. IT teams can do a lot to prevent phishing attacks from reaching our Inboxes, but everyone must think ‘security first’ when providing their personal information.”

He concluded: “It remains to be seen just how many students were impacted by this breach. This event should remind us all that our personal information is our most valuable asset and we should secure and guard it carefully.”

*Information on how businesses and individuals can protect themselves from cyber criminals is available on the National Cyber Security Centre’s website at

**Businesses or individuals can report cyber attacks to Action Fraud via its website at

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts