Lancaster University has been subject to a sophisticated and malicious phishing attack which has resulted in breaches of student and applicant data. The matter has been reported to law enforcement agencies and staff at the renowned seat of learning are now working closely with them.
Lancaster University officials are aware of two breaches of data. First, undergraduate student applicant data records for 2019 and 2020 entry have been accessed. This includes information such as individual names, addresses, telephone numbers and e-mail addresses. Apparently, fraudulent invoices have been sent to some undergraduate applicants. Applicants have been alerted to be aware of any suspicious approaches.
Second, a breach has also occurred involving the student records system. At the present time, officials know of “a very small number” of students who have had their record and ID documents accessed. University staff are in the process of contacting those students to advise them what to do.
A statement on the University of Lancaster’s website reads: “We acted as soon as we became aware that Lancaster was the source of the breach on Friday 19 July and established an incident team to handle the situation. It was immediately reported to the Information Commissioner’s Office. Since Friday, we’ve focused on safeguarding our IT systems and identifying and advising students and applicants who have been affected. This work of our incident team is ongoing as is the investigation by law enforcement agencies.”
In relation to this incident, a 25-year old male from Bradford was arrested on Monday by officers from the National Crime Agency’s National Cyber Crime Unit on suspicion of committing Computer Misuse Act and fraud offences. The man has since been released under investigation while enquiries are ongoing.
Increasingly sophisticated attacks
Tim Galligan, general manager for the EMEA at SailPoint, commented: “The phishing attack on Lancaster University goes to show that nothing and no-one is completely safe from hackers. Phishing attacks have become increasingly sophisticated in the past few years, helping criminals to impersonate legitimate organisations with eerie accuracy and believable details. As a result, no organisation should be asking if they will be breached, but more likely when.”
Galligan continued: “The premise of phishing depends on accessing the right data to build a believable trap that human users can fall into. Therefore, it’s more important than ever to ensure that the organisations we trust with that information are taking appropriate measures to protect it. People are the most vulnerable attack vector, which is why phishing attacks have remained so popular and become even more sophisticated as everyone now relies on digital platforms for communication. IT teams can do a lot to prevent phishing attacks from reaching our Inboxes, but everyone must think ‘security first’ when providing their personal information.”
He concluded: “It remains to be seen just how many students were impacted by this breach. This event should remind us all that our personal information is our most valuable asset and we should secure and guard it carefully.”
*Information on how businesses and individuals can protect themselves from cyber criminals is available on the National Cyber Security Centre’s website at www.ncsc.gov.uk.
**Businesses or individuals can report cyber attacks to Action Fraud via its website at www.actionfraud.police.uk